4.0
1NSchAb
1NSchAb
- No tags were found...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
135<br />
Web Application Penetration Testing<br />
is well formed and valid, and represents the ‘’<br />
inside a text node, a CDATA section may be used:<br />
<br />
]]><br />
<br />
so that ‘’ won’t be parsed as markup and will be considered<br />
as character data.<br />
If a node is built in the following way:<br />
<br />
the tester could try to inject the end CDATA string ‘]]>’ in order to<br />
try to invalidate the XML document.<br />
userName = ]]><br />
this will become:<br />
]]><br />
which is not a valid XML fragment.<br />
Another test is related to CDATA tag. Suppose that the XML document<br />
is processed to generate an HTML page. In this case, the<br />
CDATA section delimiters may be simply eliminated, without further<br />
inspecting their contents. Then, it is possible to inject HTML<br />
tags, which will be included in the generated page, completely bypassing<br />
existing sanitization routines.<br />
Let’s consider a concrete example. Suppose we have a node containing<br />
some text that will be displayed back to the user.<br />
<br />
$HTMLCode<br />
<br />
Then, an attacker can provide the following input:<br />
$HTMLCode = script]]>alert(‘xss’)/script]]><br />
and obtain the following node:<br />
<br />
script]]>alert(‘xss’)/<br />
script]]><br />
<br />
During the processing, the CDATA section delimiters are eliminated,<br />
generating the following HTML code:<br />
alert(‘XSS’)<br />
The result is that the application is vulnerable to XSS.<br />
External Entity:<br />
The set of valid entities can be extended by defining new entities.<br />
If the definition of an entity is a URI, the entity is called an external<br />
entity. Unless configured to do otherwise, external entities force<br />
the XML parser to access the resource specified by the URI, e.g.,<br />
a file on the local machine or on a remote systems. This behavior<br />
exposes the application to XML eXternal Entity (XXE) attacks,<br />
which can be used to perform denial of service of the local system,<br />
gain unauthorized access to files on the local machine, scan remote<br />
machines, and perform denial of service of remote systems.<br />
To test for XXE vulnerabilities, one can use the following input:<br />
<br />
]>&xxe;<br />
This test could crash the web server (on a UNIX system), if the<br />
XML parser attempts to substitute the entity with the contents of<br />
the /dev/random file.<br />
Other useful tests are the following:<br />
<br />
]>&xxe;