4.0

135Web Application Penetration Testingis well formed and valid, and represents the ‘’inside a text node, a CDATA section may be used:]]>so that ‘’ won’t be parsed as markup and will be consideredas character data.If a node is built in the following way:the tester could try to inject the end CDATA string ‘]]>’ in order totry to invalidate the XML document.userName = ]]>this will become:]]>which is not a valid XML fragment.Another test is related to CDATA tag. Suppose that the XML documentis processed to generate an HTML page. In this case, theCDATA section delimiters may be simply eliminated, without furtherinspecting their contents. Then, it is possible to inject HTMLtags, which will be included in the generated page, completely bypassingexisting sanitization routines.Let’s consider a concrete example. Suppose we have a node containingsome text that will be displayed back to the user.$HTMLCodeThen, an attacker can provide the following input:$HTMLCode = script]]>alert(‘xss’)/script]]>and obtain the following node:script]]>alert(‘xss’)/script]]>During the processing, the CDATA section delimiters are eliminated,generating the following HTML code:alert(‘XSS’)The result is that the application is vulnerable to XSS.External Entity:The set of valid entities can be extended by defining new entities.If the definition of an entity is a URI, the entity is called an externalentity. Unless configured to do otherwise, external entities forcethe XML parser to access the resource specified by the URI, e.g.,a file on the local machine or on a remote systems. This behaviorexposes the application to XML eXternal Entity (XXE) attacks,which can be used to perform denial of service of the local system,gain unauthorized access to files on the local machine, scan remotemachines, and perform denial of service of remote systems.To test for XXE vulnerabilities, one can use the following input:]>&xxe;This test could crash the web server (on a UNIX system), if theXML parser attempts to substitute the entity with the contents ofthe /dev/random file.Other useful tests are the following:]>&xxe;