SlideShare a Scribd company logo

XXE Exposed: SQLi, XSS, XXE and XEE against Web Services

Abraham Aranguren
Abraham Aranguren

XXE Exposed Webinar Slides: Brief coverage of SQLi and XSS against Web Services to then talk about XXE and XEE attacks and mitigation. Heavily inspired on the "Practical Web Defense" (PWD) style of pwnage + fixing (https://www.elearnsecurity.com/PWD) Full recording here: NOTE: (~20 minute) XXE + XEE Demo Recording starts at minute 25 https://www.elearnsecurity.com/collateral/webinar/xxe-exposed/

Technology
1 of 37
Download to read offline
XXE Exposed XML eXternalEntity vulnerabilities Armando Romeo – Abraham Aranguren eLearnSecurity SRL www.elearnsecurity.com
Page 2 MENU IntroductionIntroduction DEMODEMO Q/A + SurpriseQ/A + Surprise
Page 3 Meet our author Abraham Aranguren Project founder and leader of OWASP OWTF 7+ years in Web App Security research and consulting Speaker at top European IT Security events Co-creator of VSA along with Mario Heiderich and Gareth Heyes Author of Practical Web Defense The most comprehensive training course on web app security Launched in November 2013 Presenter
Page 4 Agenda Web Service TypesWeb Service Types SQLi on Web ServicesSQLi on Web Services XSS on Web ServicesXSS on Web Services XXE / XEE on Web ServicesXXE / XEE on Web Services XXE / XEE DemoXXE / XEE Demo Q & AQ & A
Page 5 Major Web Service Types: Web Service Types Abbreviation Stands for XML-RPC XML Remote Procedure Call JSON-RPC JSON Remote Procedure Call RPC SOAP Simple Object Access Protocol REST Representational State Transfer BEPL Business Process Execution Language WCF Windows Communication Foundation More in-depth examples, labs, videos, etc. on: «Practical Web Defense» https://www.elearnsecurity.com/PWD
Page 6 Basic Example: • «Find a player web service» • Web service returns matches from a database Web Service Example Message: “Find a player” Request “Web service client” Web service server: 1) Search player 2) Return matchesMessage: “Player matches” Response
Page 7 In this webinar: • Web service = Process request + Return response • Web service = «the function», «find a player» • Web service type = «the envelope», «HOW to call the function» • Vulnerabilities are often in «the function»: IF SO, Web Service attacks work against ALL types NOT in this webinar: • Vulnerabilities can also be in processing of «the envelope» http://www.ws-attacks.org/ Web Service Types
Page 8 “Find a player” in “XML-RPC speak” XML-RPC Request Example POST /xml_rpc_web_service HTTP/1.1 Host: example.com ... <?xml version="1.0" encoding="UTF-8"?> <methodCall> <methodName>FindPlayer</methodName> <params> <param> <value> <string>Simon</string> </value> </param> </params> </methodCall>
Page 9 “Find a Player” in “JSON-RPC speak” JSON-RPC Request Example POST /json_rpc_web_service HTTP/1.1 Host: example.com ... { "method": "FindPlayer“, "params": [ "Simon" ], "id": 1 }
Page 10 “Find a Player” in “SOAP speak” SOAP Request Example POST /soap_web_service HTTP/1.1 Host: example.com ... <?xml version="1.0" encoding="UTF-8"?> <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:enc="http://www.w3.org/2003/05/soap-encoding" xmlns:ns1="http://example.com/soap_web_service" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <env:Body> <ns1:FindPlayer env:encodingStyle="http://www.w3.org/2003/05/soap-encoding"> <name xsi:type="xsd:string">Simon</name> </ns1:FindPlayer> </env:Body> </env:Envelope>
Page 11 «Find a Player» in «RESTful speak» RESTful Request Example GET /restful_web_service/Find_player/Simon HTTP/1.1 Host: example.com ...
Page 12 For our purposes: • The function can be the same: «Find a Player» • The attacks can be the same: SQLi, XSS, XXE, etc. • What changes is «the envelope»: «How to invoke the function» In our example: «HOW to call the web service to find a player» Web Service Types: Summary
Page 13 Definitions: SQLi = SQL Injection XSS = Cross Site Scripting XXE = XML eXternal Entity What do SQLi, XSS and XXE have in common? • They are all «Injection» attacks • Injection attacks = Number 1 Web Risk https://www.owasp.org/index.php/Top_10_2013-A1-Injection Usual culprits: • String concatenations • XML parsers • Home rolled parsers SQLi, XSS and XXE?
Page 14 SQL Injection (SQLi) 101: • User input can change the SQL query • «input» is «injected» into the «SQL query» • Usually due to string concatenations: «SELECT ... WHERE id = input» SQL Injection on Web Services: • Usually the same as SQLi on Web Applications. • Difference = Attack encoded according to «the envelope» Why? Break XML/JSON = Web Service cannot see/process the message REMEMBER: Encoding is easy ☺ https://hackvertor.co.uk/public SQLi on Web Services
Page 15 SQLi: XML-RPC Web Service
Page 16 POST /xml_rpc_web_service HTTP/1.1 Host: example.com ... <?xml version="1.0" encoding="UTF-8"?> <methodCall><methodName>FindPlayer</methodName> <params> <param> <value> <string>Simon</string> </value> </param> </params> </methodCall> SQLi: Legit XML-RPC Request
Page 17 POST /xml_rpc_web_service HTTP/1.1 Host: example.com ... <?xml version="1.0" encoding="UTF-8"?> <methodCall><methodName>FindPlayer</methodName> <params> <param> <value> <string> zz&apos; union all ... </string> </value> </param> </params> </methodCall> SQLi: XML-RPC SQLi Attack
Page 18 Query: NOTE: String concatenation! SELECT * FROM players WHERE name LIKE '%{$player}%' Intended usage: • Player: Simon • XML-RPC call snippet: <string>Simon</string> • Query becomes: SELECT * FROM players WHERE name LIKE '%Simon%' SQLi attack: • Player: zz' union all ... • XML-RPC call snippet: NOTE: XML-encoded single quote (') = &apos; <string>zz&apos; union all ... </string> • Query becomes: SELECT * FROM players WHERE name LIKE '%zz' union all ... %' SQLi: XML-RPC Explanation
Page 19 Usual SQLi Impact: • The attacker can run arbitrary SQL code • Dumping the whole database, Sometimes code execution, etc. Root cause: Code + Data = Code • Code: SELECT * FROM players WHERE name LIKE '%%' • + Data (i.e. user input): $player • = Code: SELECT * FROM players WHERE name LIKE '%zz' union all ... %‘ • «Data» is executed as «Code» (All Injection attacks work like this) How to fix: Separate «code» from «data» as aggressively as possible • BEST: Bind variables aka «Parameterized queries» Always do this if you can! • 2nd BEST: Escaping Sometimes the only option (think legacy), be careful • 3rd BEST: Strict validation Only do this in addition to binding/escaping • More info: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet SQLi Mitigation: Basics
Page 20 REMEMBER: Bind variables > Escaping IF you have to use escaping make sure that: 1) you use the DBMS function for that: i.e. Escape MySQL using a MySQL-specific function, etc. AND 2) You put quotes around the value you are escaping! Our example: Could be fixed, using escaping, like: SQLi Mitigation: On Escaping
Page 21 XSS Intro Three major types of XSS: • (Server-Side) Reflected: The XSS payload is displayed back from the request • (Server-Side) Stored: The XSS payload is 1) stored –i.e. in a DB- 2) Displayed back • (JavaScript-Side) DOM-based: The XSS payload is evaluated as JavaScript, from JavaScript code Cross Site Scripting (XSS) 101: • User input can change the HTML page OR JavaScript • «input» is «injected» into the «Page» • Run JavaScript under «victim domain» = session hijacking, etc. • Usually due to string concatenations: «<html><body>....input...</body></html>»
Page 22 XSS against RESTful web services can sometimes be like XSS on web apps: XSS on RESTful Web Services
Page 23 XSS on RESTful Web Services Proof of concept: XSS=$(php -r "echo urlencode("<svg onload=alert(1)>");") curl -i "http://localhost/findplayer/$XSS" OR directly: http://localhost/findplayer/%3Csvg+onload%3Dalert%281%29%3E Returns: HTTP/1.1 200 OK .. Content-Type: text/html Your search: <svg onload=alert(1)>Matches: ... NOTE: Content-Type != text/html on SOAP, XML-RPC, JSON-RPC .. usually ☺
Page 24 But, more commonly, XSS on Web Services happens in two stages: 1) The web service saves the data NOT the problem 2) The data is displayed (insecurely) by a web app THE problem XSS on Web Services: • Usually the same as Persistent XSS on Web Applications. • Difference = Attack encoded according to «the envelope» Why? Break XML/JSON = Web Service cannot see/process the message REMEMBER: Encoding is easy ☺ https://hackvertor.co.uk/public XSS on most Web Services
Page 25 POST /json_rpc_web_service HTTP/1.1 Host: example.com ... { "method": "FindPlayer“, "params": [ "Simon" ], "id": 1 } JSON-RPC Request Example
Page 26 NOTE: Encode according to «the envelope», JSON-RPC = JSON encode XSS=$(php -r "echo json_encode("<svg onload=alert(1)>");"); POST /json_rpc_web_service HTTP/1.1 Host: example.com ... { "method": "FindPlayer“, "params": [ "<svg onload=alert(1)>" ], "id": 1 } JSON-RPC XSS Attack
Page 27 XSS Mitigation XSS Mitigation 101: • Solution != Validation (i.e. Business requires «risky» characters, etc.) • Solution = Output Encoding in the right context • ALWAYS use validation in addition to output encoding. • As with all Injection attacks, the problem is when: Code + Input = Code • Usual culprit aka “right place to fix” String concatenations on code that renders/builds HTML/JavaScript NOTE: Usually on the web app, rarely on the web service. • More info (recommended reading): https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention _Cheat_Sheet
Page 28 XSS Mitigation Example XSS Mitigation 101 = Output Encoding in the right context, using the relevant platform function for such purpose. i.e. Htmlentities in PHP. Vulnerable example: Fixed example (in this context!): Safe Output: Your search: &lt;svg onload=alert(1)&gt; Matches: ... Unsafe Output: Your search: <svg onload=alert(1)> Matches: ...
Page 29 XXE / XEE Intro XML Entity (XXE / XEE) attacks 101: • User input can change the parsed XML, «the XML the app will see» • «input» is «injected» into the «parsed XML» • Usually due to a default XML parser feature: XML (External / Inline) Entities Two major types of atacks: • XXE = Path Traversal = Read system files, source code, etc. • XEE = Denial of Service = Crash the web server Interesting attack variants: • Internal network HTTP requests • PHP / Java wrappers • Remote Code Execution (RCE) in some edge cases • Etc.
Page 30 XXE / XEE = Subtle issues XXE / XEE = Attacks against the XML parser, the code might «look safe» Scenario: An NGO builds a «crime report» web service, this allows people to report government abuse crimes anonymously. Code:
Page 31 XEE attackXML File XEE = XML Entity Expansion = Denial of Service (DoS) attack Amplified XEE: «The billion laughs attack» / «recursive entity expansion» XML File: It will take … 687 GB of RAM to parse this document .. Recommended watching: http://vimeo.com/73255656
Page 32 Intended XML File XML File: Web Service Code: echo "Uploading Crime Report: {$xml->summary}.."; Web Service Output: Uploading Crime Report: Joey is guilty..
Page 33 XXE attackXML File XXE = External Entity attack = Path Traversal = Read files, etc. XML File: Web Service Code: echo "Uploading Crime Report: {$xml->summary}.."; Web Service Output: «summary» = «/etc/passwd» via XML parser! Uploading Crime Report: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh…….
Page 34 XXE / XEE: Mitigation XXE and XEE attacks mitigation 101: • Disable external entities • Disable DOCTYPE declarations • Prefer SAX over DOM parsers • Validate XML files against schemas • More info (recommended reading, especially links at the end): https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processin g
Page 35 XXE / XEE: Mitigation example Vulnerable: $xml = simplexml_load_string($request->getBody()); Fixed: NOTE: Do ALL this before parsing //Fix 1) Disable External Entities: Fixes XXE and *some* XEE libxml_disable_entity_loader(true); //Fix 2) Limit overall XML size: IMPORTANT before Fix 3) if (strlen($xml_string) > (1024 * 5)) die('Sorry, we do not support XML files greater than 5 KBs'); //Fix 3) Forbid DOCTYPE declarations: Fixes XXE and XEE If (preg_match("/<!DOCTYPE/i", preg_replace("/s/", '', $xml_string))) die('Unsupported XML file, sorry'); //NOW we can parse the XML safely ☺ $xml = simplexml_load_string($xml_string);
Page 36 XXE / XEE Demo XXE / XEE DEMO Watch it from minute 25 here: https://www.elearnsecurity.com/collateral/webinar/xxe-exposed/ (NOTE: Wait for the video to fully load first)
Page 37 Thank you! Armando Romeo armando@elearnsecurity.com Abraham Aranguren abraham@elearnsecurity.com Cool

Recommended

Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
Abraham Aranguren
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
Masato Kinugawa
 
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Abraham Aranguren
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
Yurii Bilyk
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 

Recommended

Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
Abraham Aranguren
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
Masato Kinugawa
 
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Abraham Aranguren
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
Yurii Bilyk
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
Дмитрий Бумов
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
Jeremiah Grossman
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSS
Дмитрий Бумов
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Abraham Aranguren
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
Frans Rosén
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application Firewalls
Ivan Novikov
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Frans Rosén
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
Soroush Dalili
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Soroush Dalili
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?
Sam Thomas
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
n|u - The Open Security Community
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath Injections
AMol NAik
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
OWASP Nagpur
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictions
Mukesh k.r
 
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Lionel Briand
 

More Related Content

What's hot

Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
Jeremiah Grossman
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Abraham Aranguren
 

What's hot (20)

The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSS
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application Firewalls
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath Injections
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 

Viewers also liked

Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Lionel Briand
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
Dmitry Evteev
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
Shreeraj Shah
 
Gareth hayes. non alphanumeric javascript-php and shared fuzzing
Gareth hayes. non alphanumeric javascript-php and shared fuzzingGareth hayes. non alphanumeric javascript-php and shared fuzzing
Gareth hayes. non alphanumeric javascript-php and shared fuzzing
Yury Chemerkin
 

Viewers also liked (17)

Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictions
 
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
 
Black Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data RetrievalBlack Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data Retrieval
 
SSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAPSSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAP
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
 
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
 
Xml external entities [xxe]
Xml external entities [xxe]Xml external entities [xxe]
Xml external entities [xxe]
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
 
Gareth hayes. non alphanumeric javascript-php and shared fuzzing
Gareth hayes. non alphanumeric javascript-php and shared fuzzingGareth hayes. non alphanumeric javascript-php and shared fuzzing
Gareth hayes. non alphanumeric javascript-php and shared fuzzing
 
VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012
 
CSRF: ways to exploit, ways to prevent
CSRF: ways to exploit, ways to preventCSRF: ways to exploit, ways to prevent
CSRF: ways to exploit, ways to prevent
 
DEfcon15 XXE XXS
DEfcon15 XXE XXSDEfcon15 XXE XXS
DEfcon15 XXE XXS
 
Basic of Ethical Hacking and Penetration Testing - 1st Module
Basic of Ethical Hacking and Penetration Testing - 1st ModuleBasic of Ethical Hacking and Penetration Testing - 1st Module
Basic of Ethical Hacking and Penetration Testing - 1st Module
 

Similar to XXE Exposed: SQLi, XSS, XXE and XEE against Web Services

Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
Frank Kim
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Xlator
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
CODE BLUE
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
Jeremiah Grossman
 

Similar to XXE Exposed: SQLi, XSS, XXE and XEE against Web Services (20)

The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front end
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
Complete xss walkthrough
Complete xss walkthroughComplete xss walkthrough
Complete xss walkthrough
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
Secure java script-for-developers
Secure java script-for-developersSecure java script-for-developers
Secure java script-for-developers
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontend
 
15 owasp top 10 - a3-xss
15 owasp top 10 - a3-xss15 owasp top 10 - a3-xss
15 owasp top 10 - a3-xss
 
Hacking 101 (Session 2)
Hacking 101 (Session 2)Hacking 101 (Session 2)
Hacking 101 (Session 2)
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Brakeman
BrakemanBrakeman
Brakeman
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
 

More from Abraham Aranguren

More from Abraham Aranguren (7)

Why should you do a pentest?
Why should you do a pentest?Why should you do a pentest?
Why should you do a pentest?
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
 
Legal and efficient web app testing without permission
Legal and efficient web app testing without permissionLegal and efficient web app testing without permission
Legal and efficient web app testing without permission
 
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011
 
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficBruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 

Recently uploaded (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

XXE Exposed: SQLi, XSS, XXE and XEE against Web Services

  • 1. XXE Exposed XML eXternalEntity vulnerabilities Armando Romeo – Abraham Aranguren eLearnSecurity SRL www.elearnsecurity.com
  • 3. Page 3 Meet our author Abraham Aranguren Project founder and leader of OWASP OWTF 7+ years in Web App Security research and consulting Speaker at top European IT Security events Co-creator of VSA along with Mario Heiderich and Gareth Heyes Author of Practical Web Defense The most comprehensive training course on web app security Launched in November 2013 Presenter
  • 4. Page 4 Agenda Web Service TypesWeb Service Types SQLi on Web ServicesSQLi on Web Services XSS on Web ServicesXSS on Web Services XXE / XEE on Web ServicesXXE / XEE on Web Services XXE / XEE DemoXXE / XEE Demo Q & AQ & A
  • 5. Page 5 Major Web Service Types: Web Service Types Abbreviation Stands for XML-RPC XML Remote Procedure Call JSON-RPC JSON Remote Procedure Call RPC SOAP Simple Object Access Protocol REST Representational State Transfer BEPL Business Process Execution Language WCF Windows Communication Foundation More in-depth examples, labs, videos, etc. on: «Practical Web Defense» https://www.elearnsecurity.com/PWD
  • 6. Page 6 Basic Example: • «Find a player web service» • Web service returns matches from a database Web Service Example Message: “Find a player” Request “Web service client” Web service server: 1) Search player 2) Return matchesMessage: “Player matches” Response
  • 7. Page 7 In this webinar: • Web service = Process request + Return response • Web service = «the function», «find a player» • Web service type = «the envelope», «HOW to call the function» • Vulnerabilities are often in «the function»: IF SO, Web Service attacks work against ALL types NOT in this webinar: • Vulnerabilities can also be in processing of «the envelope» http://www.ws-attacks.org/ Web Service Types
  • 8. Page 8 “Find a player” in “XML-RPC speak” XML-RPC Request Example POST /xml_rpc_web_service HTTP/1.1 Host: example.com ... <?xml version="1.0" encoding="UTF-8"?> <methodCall> <methodName>FindPlayer</methodName> <params> <param> <value> <string>Simon</string> </value> </param> </params> </methodCall>
  • 9. Page 9 “Find a Player” in “JSON-RPC speak” JSON-RPC Request Example POST /json_rpc_web_service HTTP/1.1 Host: example.com ... { "method": "FindPlayer“, "params": [ "Simon" ], "id": 1 }
  • 10. Page 10 “Find a Player” in “SOAP speak” SOAP Request Example POST /soap_web_service HTTP/1.1 Host: example.com ... <?xml version="1.0" encoding="UTF-8"?> <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:enc="http://www.w3.org/2003/05/soap-encoding" xmlns:ns1="http://example.com/soap_web_service" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <env:Body> <ns1:FindPlayer env:encodingStyle="http://www.w3.org/2003/05/soap-encoding"> <name xsi:type="xsd:string">Simon</name> </ns1:FindPlayer> </env:Body> </env:Envelope>
  • 11. Page 11 «Find a Player» in «RESTful speak» RESTful Request Example GET /restful_web_service/Find_player/Simon HTTP/1.1 Host: example.com ...
  • 12. Page 12 For our purposes: • The function can be the same: «Find a Player» • The attacks can be the same: SQLi, XSS, XXE, etc. • What changes is «the envelope»: «How to invoke the function» In our example: «HOW to call the web service to find a player» Web Service Types: Summary
  • 13. Page 13 Definitions: SQLi = SQL Injection XSS = Cross Site Scripting XXE = XML eXternal Entity What do SQLi, XSS and XXE have in common? • They are all «Injection» attacks • Injection attacks = Number 1 Web Risk https://www.owasp.org/index.php/Top_10_2013-A1-Injection Usual culprits: • String concatenations • XML parsers • Home rolled parsers SQLi, XSS and XXE?
  • 14. Page 14 SQL Injection (SQLi) 101: • User input can change the SQL query • «input» is «injected» into the «SQL query» • Usually due to string concatenations: «SELECT ... WHERE id = input» SQL Injection on Web Services: • Usually the same as SQLi on Web Applications. • Difference = Attack encoded according to «the envelope» Why? Break XML/JSON = Web Service cannot see/process the message REMEMBER: Encoding is easy ☺ https://hackvertor.co.uk/public SQLi on Web Services
  • 15. Page 15 SQLi: XML-RPC Web Service
  • 16. Page 16 POST /xml_rpc_web_service HTTP/1.1 Host: example.com ... <?xml version="1.0" encoding="UTF-8"?> <methodCall><methodName>FindPlayer</methodName> <params> <param> <value> <string>Simon</string> </value> </param> </params> </methodCall> SQLi: Legit XML-RPC Request
  • 17. Page 17 POST /xml_rpc_web_service HTTP/1.1 Host: example.com ... <?xml version="1.0" encoding="UTF-8"?> <methodCall><methodName>FindPlayer</methodName> <params> <param> <value> <string> zz&apos; union all ... </string> </value> </param> </params> </methodCall> SQLi: XML-RPC SQLi Attack
  • 18. Page 18 Query: NOTE: String concatenation! SELECT * FROM players WHERE name LIKE '%{$player}%' Intended usage: • Player: Simon • XML-RPC call snippet: <string>Simon</string> • Query becomes: SELECT * FROM players WHERE name LIKE '%Simon%' SQLi attack: • Player: zz' union all ... • XML-RPC call snippet: NOTE: XML-encoded single quote (') = &apos; <string>zz&apos; union all ... </string> • Query becomes: SELECT * FROM players WHERE name LIKE '%zz' union all ... %' SQLi: XML-RPC Explanation
  • 19. Page 19 Usual SQLi Impact: • The attacker can run arbitrary SQL code • Dumping the whole database, Sometimes code execution, etc. Root cause: Code + Data = Code • Code: SELECT * FROM players WHERE name LIKE '%%' • + Data (i.e. user input): $player • = Code: SELECT * FROM players WHERE name LIKE '%zz' union all ... %‘ • «Data» is executed as «Code» (All Injection attacks work like this) How to fix: Separate «code» from «data» as aggressively as possible • BEST: Bind variables aka «Parameterized queries» Always do this if you can! • 2nd BEST: Escaping Sometimes the only option (think legacy), be careful • 3rd BEST: Strict validation Only do this in addition to binding/escaping • More info: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet SQLi Mitigation: Basics
  • 20. Page 20 REMEMBER: Bind variables > Escaping IF you have to use escaping make sure that: 1) you use the DBMS function for that: i.e. Escape MySQL using a MySQL-specific function, etc. AND 2) You put quotes around the value you are escaping! Our example: Could be fixed, using escaping, like: SQLi Mitigation: On Escaping
  • 21. Page 21 XSS Intro Three major types of XSS: • (Server-Side) Reflected: The XSS payload is displayed back from the request • (Server-Side) Stored: The XSS payload is 1) stored –i.e. in a DB- 2) Displayed back • (JavaScript-Side) DOM-based: The XSS payload is evaluated as JavaScript, from JavaScript code Cross Site Scripting (XSS) 101: • User input can change the HTML page OR JavaScript • «input» is «injected» into the «Page» • Run JavaScript under «victim domain» = session hijacking, etc. • Usually due to string concatenations: «<html><body>....input...</body></html>»
  • 22. Page 22 XSS against RESTful web services can sometimes be like XSS on web apps: XSS on RESTful Web Services
  • 23. Page 23 XSS on RESTful Web Services Proof of concept: XSS=$(php -r "echo urlencode("<svg onload=alert(1)>");") curl -i "http://localhost/findplayer/$XSS" OR directly: http://localhost/findplayer/%3Csvg+onload%3Dalert%281%29%3E Returns: HTTP/1.1 200 OK .. Content-Type: text/html Your search: <svg onload=alert(1)>Matches: ... NOTE: Content-Type != text/html on SOAP, XML-RPC, JSON-RPC .. usually ☺
  • 24. Page 24 But, more commonly, XSS on Web Services happens in two stages: 1) The web service saves the data NOT the problem 2) The data is displayed (insecurely) by a web app THE problem XSS on Web Services: • Usually the same as Persistent XSS on Web Applications. • Difference = Attack encoded according to «the envelope» Why? Break XML/JSON = Web Service cannot see/process the message REMEMBER: Encoding is easy ☺ https://hackvertor.co.uk/public XSS on most Web Services
  • 25. Page 25 POST /json_rpc_web_service HTTP/1.1 Host: example.com ... { "method": "FindPlayer“, "params": [ "Simon" ], "id": 1 } JSON-RPC Request Example
  • 26. Page 26 NOTE: Encode according to «the envelope», JSON-RPC = JSON encode XSS=$(php -r "echo json_encode("<svg onload=alert(1)>");"); POST /json_rpc_web_service HTTP/1.1 Host: example.com ... { "method": "FindPlayer“, "params": [ "<svg onload=alert(1)>" ], "id": 1 } JSON-RPC XSS Attack
  • 27. Page 27 XSS Mitigation XSS Mitigation 101: • Solution != Validation (i.e. Business requires «risky» characters, etc.) • Solution = Output Encoding in the right context • ALWAYS use validation in addition to output encoding. • As with all Injection attacks, the problem is when: Code + Input = Code • Usual culprit aka “right place to fix” String concatenations on code that renders/builds HTML/JavaScript NOTE: Usually on the web app, rarely on the web service. • More info (recommended reading): https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention _Cheat_Sheet
  • 28. Page 28 XSS Mitigation Example XSS Mitigation 101 = Output Encoding in the right context, using the relevant platform function for such purpose. i.e. Htmlentities in PHP. Vulnerable example: Fixed example (in this context!): Safe Output: Your search: &lt;svg onload=alert(1)&gt; Matches: ... Unsafe Output: Your search: <svg onload=alert(1)> Matches: ...
  • 29. Page 29 XXE / XEE Intro XML Entity (XXE / XEE) attacks 101: • User input can change the parsed XML, «the XML the app will see» • «input» is «injected» into the «parsed XML» • Usually due to a default XML parser feature: XML (External / Inline) Entities Two major types of atacks: • XXE = Path Traversal = Read system files, source code, etc. • XEE = Denial of Service = Crash the web server Interesting attack variants: • Internal network HTTP requests • PHP / Java wrappers • Remote Code Execution (RCE) in some edge cases • Etc.
  • 30. Page 30 XXE / XEE = Subtle issues XXE / XEE = Attacks against the XML parser, the code might «look safe» Scenario: An NGO builds a «crime report» web service, this allows people to report government abuse crimes anonymously. Code:
  • 31. Page 31 XEE attackXML File XEE = XML Entity Expansion = Denial of Service (DoS) attack Amplified XEE: «The billion laughs attack» / «recursive entity expansion» XML File: It will take … 687 GB of RAM to parse this document .. Recommended watching: http://vimeo.com/73255656
  • 32. Page 32 Intended XML File XML File: Web Service Code: echo "Uploading Crime Report: {$xml->summary}.."; Web Service Output: Uploading Crime Report: Joey is guilty..
  • 33. Page 33 XXE attackXML File XXE = External Entity attack = Path Traversal = Read files, etc. XML File: Web Service Code: echo "Uploading Crime Report: {$xml->summary}.."; Web Service Output: «summary» = «/etc/passwd» via XML parser! Uploading Crime Report: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh…….
  • 34. Page 34 XXE / XEE: Mitigation XXE and XEE attacks mitigation 101: • Disable external entities • Disable DOCTYPE declarations • Prefer SAX over DOM parsers • Validate XML files against schemas • More info (recommended reading, especially links at the end): https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processin g
  • 35. Page 35 XXE / XEE: Mitigation example Vulnerable: $xml = simplexml_load_string($request->getBody()); Fixed: NOTE: Do ALL this before parsing //Fix 1) Disable External Entities: Fixes XXE and *some* XEE libxml_disable_entity_loader(true); //Fix 2) Limit overall XML size: IMPORTANT before Fix 3) if (strlen($xml_string) > (1024 * 5)) die('Sorry, we do not support XML files greater than 5 KBs'); //Fix 3) Forbid DOCTYPE declarations: Fixes XXE and XEE If (preg_match("/<!DOCTYPE/i", preg_replace("/s/", '', $xml_string))) die('Unsupported XML file, sorry'); //NOW we can parse the XML safely ☺ $xml = simplexml_load_string($xml_string);
  • 36. Page 36 XXE / XEE Demo XXE / XEE DEMO Watch it from minute 25 here: https://www.elearnsecurity.com/collateral/webinar/xxe-exposed/ (NOTE: Wait for the video to fully load first)
  • 37. Page 37 Thank you! Armando Romeo armando@elearnsecurity.com Abraham Aranguren abraham@elearnsecurity.com Cool