1BO4r2U
1BO4r2U
1BO4r2U
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
131 132<br />
Web Application Penetration Testing<br />
Web Application Penetration Testing<br />
Testing for XML Injection (OTG-INPVAL-008)<br />
Summary<br />
XML Injection testing is when a tester tries to inject an XML doc to the<br />
application. If the XML parser fails to contextually validate data, then<br />
the test will yield a positive result.<br />
This section describes practical examples of XML Injection. First, an<br />
XML style communication will be defined and its working principles<br />
explained. Then, the discovery method in which we try to insert XML<br />
metacharacters. Once the first step is accomplished, the tester will<br />
have some information about the XML structure, so it will be possible<br />
to try to inject XML data and tags (Tag Injection).<br />
How to Test<br />
Let’s suppose there is a web application using an XML style communication<br />
in order to perform user registration. This is done by creating<br />
and adding a new node in an xmlDb file.<br />
Let’s suppose the xmlDB file is like the following:<br />
<br />
<br />
<br />
gandalf<br />
!c3<br />
0<br />
gandalf@middleearth.com<br />
<br />
<br />
Stefan0<br />
w1s3c<br />
500<br />
Stefan0@whysec.hmm<br />
<br />
<br />
When a user registers himself by filling an HTML form, the application<br />
receives the user’s data in a standard request, which, for the sake of<br />
simplicity, will be supposed to be sent as a GET request.<br />
For example, the following values:<br />
Username: tony<br />
Password: Un6R34kb!e<br />
E-mail: s4tan@hell.com<br />
will produce the request:<br />
http:/www.example.com/addUser.php?username=tony&password=Un6R34kb!e&email=s4tan@hell.com<br />
The application, then, builds the following node:<br />
which will be added to the xmlDB:<br />
Discovery<br />
The first step in order to test an application for the presence of a XML<br />
Injection vulnerability consists of trying to insert XML metacharacters.<br />
XML metacharacters are:<br />
• Single quote: ‘ - When not sanitized, this character could throw an<br />
exception during XML parsing, if the injected value is going to be part<br />
of an attribute value in a tag.<br />
As an example, let’s suppose there is the following attribute<br />
So, if:<br />
<br />
<br />
tony<br />
Un6R34kb!e<br />
500<br />
s4tan@hell.com<br />
<br />
<br />
<br />
gandalf<br />
!c3<br />
0<br />
gandalf@middleearth.com<br />
<br />
<br />
Stefan0<br />
w1s3c<br />
500<br />
Stefan0@whysec.hmm<br />
<br />
<br />
tony<br />
Un6R34kb!e<br />
500<br />
s4tan@hell.com<br />
<br />
<br />
<br />
inputValue = foo’<br />
is instantiated and then is inserted as the attrib value:<br />
<br />
then, the resulting XML document is not well formed.<br />
• Double quote: “ - this character has the same meaning as single<br />
quote and it could be used if the attribute value is enclosed in double<br />
quotes.<br />
So if:<br />
<br />
$inputValue = foo”<br />
the substitution gives:<br />
<br />
and the resulting XML document is invalid.<br />
• Angular parentheses: > and < - By adding an open or closed angular<br />
parenthesis in a user input like the following:<br />
Username = foo<<br />
the application will build a new node:<br />
<br />
foo