Devouring Security

Marudhamaran Gunasekaran

XML Attack surface and Defences

Overreacting to Risk

I understand the natural human disgust reaction, but do these people actually think that their normal drinking water is any more pure? That a single human is that much worse than all the normal birds and other animals? A few ounces distributed amongst 38 million gallons is negligible.

- Bruce Schneier

https://www.schneier.com/blog/archives/2014/04/overreacting_to_1.html

Disclaimer

Techniques and Tools in this presentation should be used or applied on an application, only with prior consent of the application’s owner. Illegal otherwise.

Xml today

• Network protocols – SOAP, XMLRPC, REST• Data exchange – modern databases• Configuration files – java beans, .net config ..• Document/image formats – SVG, RSS, Atom

Xml injection demo

http://XmlAttacks:8080/WebGoat/attack

Xpath Injection Anatomy

Blind Xpath Injection exists as well

https://www.owasp.org/index.php/Blind_XPath_Injection http://dl.packetstormsecurity.net/papers/bypass/Blind_XPath_Injection_20040518.pdf

More:

Mitigations

•Rejecting requests based on Xpath < > / ' = “

•Variables with Xslttransformation

•Linq to Xml without Xpath queries (.Net)

•Xquery implementations (Saxon parser for Java & .Net)

Java Xpath injection mitigation with XPathVariableResolver (Java)

Rejecting requests based on Xpath < > / ' = “

Variables with Xslttransformation

Linq to Xml without Xpath queries (.Net)

Xquery implementations (Saxon parser for Java & .Net)

Java Xpath injection mitigation with XPathVariableResolver (Java)

Xpath with Variables

Java Xpath injection mitigation with IXsltContextVariable (.Net)

Xpath with Variables

Java Xpath injection mitigation with IXsltContextVariable (.Net)

Xpath with Variables

Xpath injection mitigation with Input filtering

Xpath injection mitigation with Linq to Xml (.Net)

Linq to Xml: Xpath injection vulnerable

Linq to Xml: Xpath injection proof

DTDs

• Document Type Definition

Document Type Definition

Entity Declarations

http://www.xmlmaster.org/en/article/d01/c03/

Billion Laughs (aka Xml Bomb)

http://en.wikipedia.org/wiki/Billion_laughs

Billion Laughs (Demo)

External Entity Expansions

http://msdn.microsoft.com/en-us/magazine/ee335713.aspx

<!ENTITY stockprice SYSTEM "http://www.contoso.com/currentstockprice.ashx">

public class DoS : IHttpHandler { public void ProcessRequest(HttpContext context) { context.Response.ContentType = "text/plain"; byte[] data = new byte[1000000]; for (int i = 0; i < data.Length; i++) { data[i] = (byte)'A'; } while (true) { context.Response.OutputStream.Write(data, 0, data.Length); context.Response.Flush(); } }

public bool IsReusable { get { return false; } } }

External Entity expansion mitigation (.Net)

XmlDocument xmlDoc = new XmlDocument();

XmlTextReader reader = new XmlTextReader(new MemoryStream(Encoding.UTF8.GetBytes(xmlInput))); reader.ProhibitDtd = true;

Mitigated:

Potentially Vulnerable:

XmlDocument xmlDoc = new XmlDocument(); xmlDoc.LoadXml(xmlInput);

External Entity expansion mitigation (JAXP)

Directory browsing and file access (JAXB)

import javax.xml.bind.*;import javax.xml.stream.*;import javax.xml.transform.stream.StreamSource; public class Demo {  public static void main(String[] args) throws Exception { JAXBContext jc = JAXBContext.newInstance(Customer.class);  XMLInputFactory xif = XMLInputFactory.newFactory(); xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); xif.setProperty(XMLInputFactory.SUPPORT_DTD, false); XMLStreamReader xsr = xif.createXMLStreamReader(new StreamSource("src/xxe/input.xml"));  Unmarshaller unmarshaller = jc.createUnmarshaller(); Customer customer = (Customer) unmarshaller.unmarshal(xsr);  Marshaller marshaller = jc.createMarshaller(); marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true); marshaller.marshal(customer, System.out); } }

More: http://stackoverflow.com/questions/12977299/preven-xxe-attack-with-jaxb

DOS attack and safe/vulnerable .Net versions

.Net framework 2.0.50727.5477 or higher

.Net framework 4.0.30319.34011 or higher

.Net framework 2.0.50727.5420 or lower

.Net framework 4.0.30319.1 or lower

.Net framework 2.0 - Revision 5420 to 5476 -- Safe/Vulnerable?

.Net framework 4.0 - Revision 1 to 34010 -- Safe/Vulnerable?

Lessons learned

1. Keeping your operating systems and frameworks up to date

2. Don’t let your server headers reveal too much information

3. Be vigilant about the framework’s default settings

References / Further reading

• http://www.lynda.com/XML-tutorials/Understanding-XML-usage-today/782/47912-4.html

• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3925

• http://secpod.org/blog/?p=1337

• http://2013.appsecusa.org/2013/wp-content/uploads/2013/12/WhatYouDidntKnowAboutXXEAttacks.pdf

• https://www.owasp.org/index.php/XPATH_Injection_Java

• https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=61407250

• http://www.xmlmaster.org/en/article/d01/c03/