SlideShare ist ein Scribd-Unternehmen logo

XXE Exposed: SQLi, XSS, XXE and XEE against Web Services

Abraham Aranguren
Abraham Aranguren

XXE Exposed Webinar Slides: Brief coverage of SQLi and XSS against Web Services to then talk about XXE and XEE attacks and mitigation. Heavily inspired on the "Practical Web Defense" (PWD) style of pwnage + fixing (https://www.elearnsecurity.com/PWD) Full recording here: NOTE: (~20 minute) XXE + XEE Demo Recording starts at minute 25 https://www.elearnsecurity.com/collateral/webinar/xxe-exposed/

Technologie
1 von 37
Downloaden Sie, um offline zu lesen
XXE Exposed XML eXternalEntity vulnerabilities Armando Romeo – Abraham Aranguren eLearnSecurity SRL www.elearnsecurity.com
Page 2 MENU IntroductionIntroduction DEMODEMO Q/A + SurpriseQ/A + Surprise
Page 3 Meet our author Abraham Aranguren Project founder and leader of OWASP OWTF 7+ years in Web App Security research and consulting Speaker at top European IT Security events Co-creator of VSA along with Mario Heiderich and Gareth Heyes Author of Practical Web Defense The most comprehensive training course on web app security Launched in November 2013 Presenter
Page 4 Agenda Web Service TypesWeb Service Types SQLi on Web ServicesSQLi on Web Services XSS on Web ServicesXSS on Web Services XXE / XEE on Web ServicesXXE / XEE on Web Services XXE / XEE DemoXXE / XEE Demo Q & AQ & A
Page 5 Major Web Service Types: Web Service Types Abbreviation Stands for XML-RPC XML Remote Procedure Call JSON-RPC JSON Remote Procedure Call RPC SOAP Simple Object Access Protocol REST Representational State Transfer BEPL Business Process Execution Language WCF Windows Communication Foundation More in-depth examples, labs, videos, etc. on: «Practical Web Defense» https://www.elearnsecurity.com/PWD
Page 6 Basic Example: • «Find a player web service» • Web service returns matches from a database Web Service Example Message: “Find a player” Request “Web service client” Web service server: 1) Search player 2) Return matchesMessage: “Player matches” Response
Page 7 In this webinar: • Web service = Process request + Return response • Web service = «the function», «find a player» • Web service type = «the envelope», «HOW to call the function» • Vulnerabilities are often in «the function»: IF SO, Web Service attacks work against ALL types NOT in this webinar: • Vulnerabilities can also be in processing of «the envelope» http://www.ws-attacks.org/ Web Service Types
Page 8 “Find a player” in “XML-RPC speak” XML-RPC Request Example POST /xml_rpc_web_service HTTP/1.1 Host: example.com ... <?xml version="1.0" encoding="UTF-8"?> <methodCall> <methodName>FindPlayer</methodName> <params> <param> <value> <string>Simon</string> </value> </param> </params> </methodCall>
Page 9 “Find a Player” in “JSON-RPC speak” JSON-RPC Request Example POST /json_rpc_web_service HTTP/1.1 Host: example.com ... { "method": "FindPlayer“, "params": [ "Simon" ], "id": 1 }
Page 10 “Find a Player” in “SOAP speak” SOAP Request Example POST /soap_web_service HTTP/1.1 Host: example.com ... <?xml version="1.0" encoding="UTF-8"?> <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:enc="http://www.w3.org/2003/05/soap-encoding" xmlns:ns1="http://example.com/soap_web_service" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <env:Body> <ns1:FindPlayer env:encodingStyle="http://www.w3.org/2003/05/soap-encoding"> <name xsi:type="xsd:string">Simon</name> </ns1:FindPlayer> </env:Body> </env:Envelope>
Page 11 «Find a Player» in «RESTful speak» RESTful Request Example GET /restful_web_service/Find_player/Simon HTTP/1.1 Host: example.com ...
Page 12 For our purposes: • The function can be the same: «Find a Player» • The attacks can be the same: SQLi, XSS, XXE, etc. • What changes is «the envelope»: «How to invoke the function» In our example: «HOW to call the web service to find a player» Web Service Types: Summary
Page 13 Definitions: SQLi = SQL Injection XSS = Cross Site Scripting XXE = XML eXternal Entity What do SQLi, XSS and XXE have in common? • They are all «Injection» attacks • Injection attacks = Number 1 Web Risk https://www.owasp.org/index.php/Top_10_2013-A1-Injection Usual culprits: • String concatenations • XML parsers • Home rolled parsers SQLi, XSS and XXE?
Page 14 SQL Injection (SQLi) 101: • User input can change the SQL query • «input» is «injected» into the «SQL query» • Usually due to string concatenations: «SELECT ... WHERE id = input» SQL Injection on Web Services: • Usually the same as SQLi on Web Applications. • Difference = Attack encoded according to «the envelope» Why? Break XML/JSON = Web Service cannot see/process the message REMEMBER: Encoding is easy ☺ https://hackvertor.co.uk/public SQLi on Web Services
Page 15 SQLi: XML-RPC Web Service
Page 16 POST /xml_rpc_web_service HTTP/1.1 Host: example.com ... <?xml version="1.0" encoding="UTF-8"?> <methodCall><methodName>FindPlayer</methodName> <params> <param> <value> <string>Simon</string> </value> </param> </params> </methodCall> SQLi: Legit XML-RPC Request
Page 17 POST /xml_rpc_web_service HTTP/1.1 Host: example.com ... <?xml version="1.0" encoding="UTF-8"?> <methodCall><methodName>FindPlayer</methodName> <params> <param> <value> <string> zz&apos; union all ... </string> </value> </param> </params> </methodCall> SQLi: XML-RPC SQLi Attack
Page 18 Query: NOTE: String concatenation! SELECT * FROM players WHERE name LIKE '%{$player}%' Intended usage: • Player: Simon • XML-RPC call snippet: <string>Simon</string> • Query becomes: SELECT * FROM players WHERE name LIKE '%Simon%' SQLi attack: • Player: zz' union all ... • XML-RPC call snippet: NOTE: XML-encoded single quote (') = &apos; <string>zz&apos; union all ... </string> • Query becomes: SELECT * FROM players WHERE name LIKE '%zz' union all ... %' SQLi: XML-RPC Explanation
Page 19 Usual SQLi Impact: • The attacker can run arbitrary SQL code • Dumping the whole database, Sometimes code execution, etc. Root cause: Code + Data = Code • Code: SELECT * FROM players WHERE name LIKE '%%' • + Data (i.e. user input): $player • = Code: SELECT * FROM players WHERE name LIKE '%zz' union all ... %‘ • «Data» is executed as «Code» (All Injection attacks work like this) How to fix: Separate «code» from «data» as aggressively as possible • BEST: Bind variables aka «Parameterized queries» Always do this if you can! • 2nd BEST: Escaping Sometimes the only option (think legacy), be careful • 3rd BEST: Strict validation Only do this in addition to binding/escaping • More info: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet SQLi Mitigation: Basics
Page 20 REMEMBER: Bind variables > Escaping IF you have to use escaping make sure that: 1) you use the DBMS function for that: i.e. Escape MySQL using a MySQL-specific function, etc. AND 2) You put quotes around the value you are escaping! Our example: Could be fixed, using escaping, like: SQLi Mitigation: On Escaping
Page 21 XSS Intro Three major types of XSS: • (Server-Side) Reflected: The XSS payload is displayed back from the request • (Server-Side) Stored: The XSS payload is 1) stored –i.e. in a DB- 2) Displayed back • (JavaScript-Side) DOM-based: The XSS payload is evaluated as JavaScript, from JavaScript code Cross Site Scripting (XSS) 101: • User input can change the HTML page OR JavaScript • «input» is «injected» into the «Page» • Run JavaScript under «victim domain» = session hijacking, etc. • Usually due to string concatenations: «<html><body>....input...</body></html>»
Page 22 XSS against RESTful web services can sometimes be like XSS on web apps: XSS on RESTful Web Services
Page 23 XSS on RESTful Web Services Proof of concept: XSS=$(php -r "echo urlencode("<svg onload=alert(1)>");") curl -i "http://localhost/findplayer/$XSS" OR directly: http://localhost/findplayer/%3Csvg+onload%3Dalert%281%29%3E Returns: HTTP/1.1 200 OK .. Content-Type: text/html Your search: <svg onload=alert(1)>Matches: ... NOTE: Content-Type != text/html on SOAP, XML-RPC, JSON-RPC .. usually ☺
Page 24 But, more commonly, XSS on Web Services happens in two stages: 1) The web service saves the data NOT the problem 2) The data is displayed (insecurely) by a web app THE problem XSS on Web Services: • Usually the same as Persistent XSS on Web Applications. • Difference = Attack encoded according to «the envelope» Why? Break XML/JSON = Web Service cannot see/process the message REMEMBER: Encoding is easy ☺ https://hackvertor.co.uk/public XSS on most Web Services
Page 25 POST /json_rpc_web_service HTTP/1.1 Host: example.com ... { "method": "FindPlayer“, "params": [ "Simon" ], "id": 1 } JSON-RPC Request Example
Page 26 NOTE: Encode according to «the envelope», JSON-RPC = JSON encode XSS=$(php -r "echo json_encode("<svg onload=alert(1)>");"); POST /json_rpc_web_service HTTP/1.1 Host: example.com ... { "method": "FindPlayer“, "params": [ "<svg onload=alert(1)>" ], "id": 1 } JSON-RPC XSS Attack
Page 27 XSS Mitigation XSS Mitigation 101: • Solution != Validation (i.e. Business requires «risky» characters, etc.) • Solution = Output Encoding in the right context • ALWAYS use validation in addition to output encoding. • As with all Injection attacks, the problem is when: Code + Input = Code • Usual culprit aka “right place to fix” String concatenations on code that renders/builds HTML/JavaScript NOTE: Usually on the web app, rarely on the web service. • More info (recommended reading): https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention _Cheat_Sheet
Page 28 XSS Mitigation Example XSS Mitigation 101 = Output Encoding in the right context, using the relevant platform function for such purpose. i.e. Htmlentities in PHP. Vulnerable example: Fixed example (in this context!): Safe Output: Your search: &lt;svg onload=alert(1)&gt; Matches: ... Unsafe Output: Your search: <svg onload=alert(1)> Matches: ...
Page 29 XXE / XEE Intro XML Entity (XXE / XEE) attacks 101: • User input can change the parsed XML, «the XML the app will see» • «input» is «injected» into the «parsed XML» • Usually due to a default XML parser feature: XML (External / Inline) Entities Two major types of atacks: • XXE = Path Traversal = Read system files, source code, etc. • XEE = Denial of Service = Crash the web server Interesting attack variants: • Internal network HTTP requests • PHP / Java wrappers • Remote Code Execution (RCE) in some edge cases • Etc.
Page 30 XXE / XEE = Subtle issues XXE / XEE = Attacks against the XML parser, the code might «look safe» Scenario: An NGO builds a «crime report» web service, this allows people to report government abuse crimes anonymously. Code:
Page 31 XEE attackXML File XEE = XML Entity Expansion = Denial of Service (DoS) attack Amplified XEE: «The billion laughs attack» / «recursive entity expansion» XML File: It will take … 687 GB of RAM to parse this document .. Recommended watching: http://vimeo.com/73255656
Page 32 Intended XML File XML File: Web Service Code: echo "Uploading Crime Report: {$xml->summary}.."; Web Service Output: Uploading Crime Report: Joey is guilty..
Page 33 XXE attackXML File XXE = External Entity attack = Path Traversal = Read files, etc. XML File: Web Service Code: echo "Uploading Crime Report: {$xml->summary}.."; Web Service Output: «summary» = «/etc/passwd» via XML parser! Uploading Crime Report: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh…….
Page 34 XXE / XEE: Mitigation XXE and XEE attacks mitigation 101: • Disable external entities • Disable DOCTYPE declarations • Prefer SAX over DOM parsers • Validate XML files against schemas • More info (recommended reading, especially links at the end): https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processin g
Page 35 XXE / XEE: Mitigation example Vulnerable: $xml = simplexml_load_string($request->getBody()); Fixed: NOTE: Do ALL this before parsing //Fix 1) Disable External Entities: Fixes XXE and *some* XEE libxml_disable_entity_loader(true); //Fix 2) Limit overall XML size: IMPORTANT before Fix 3) if (strlen($xml_string) > (1024 * 5)) die('Sorry, we do not support XML files greater than 5 KBs'); //Fix 3) Forbid DOCTYPE declarations: Fixes XXE and XEE If (preg_match("/<!DOCTYPE/i", preg_replace("/s/", '', $xml_string))) die('Unsupported XML file, sorry'); //NOW we can parse the XML safely ☺ $xml = simplexml_load_string($xml_string);
Page 36 XXE / XEE Demo XXE / XEE DEMO Watch it from minute 25 here: https://www.elearnsecurity.com/collateral/webinar/xxe-exposed/ (NOTE: Wait for the video to fully load first)
Page 37 Thank you! Armando Romeo armando@elearnsecurity.com Abraham Aranguren abraham@elearnsecurity.com Cool

Empfohlen

Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakAbraham Aranguren
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 

Empfohlen

Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakAbraham Aranguren
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
Security Testing for Web Application
Security Testing for Web ApplicationSecurity Testing for Web Application
Security Testing for Web ApplicationPrecise Testing Solution
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Aman Singh
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityMikhail Egorov
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Abraham Aranguren
 
Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scaleChandrapal Badshah
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceFrans Rosén
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadSecurity BSides Ahmedabad
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.Mikhail Egorov
 
A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 Sorina Chirilă
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksRaghav Bisht
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?Sam Thomas
 
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...Lionel Briand
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop Ivan Novikov
 

Weitere ähnliche Inhalte

Was ist angesagt?

X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Aman Singh
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityMikhail Egorov
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Abraham Aranguren
 
Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scaleChandrapal Badshah
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceFrans Rosén
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.Mikhail Egorov
 
A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 Sorina Chirilă
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksRaghav Bisht
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?Sam Thomas
 

Was ist angesagt? (20)

X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
 
Security Testing for Web Application
Security Testing for Web ApplicationSecurity Testing for Web Application
Security Testing for Web Application
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications security
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
 
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
 
Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scale
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
 
A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion Attacks
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?
 

Andere mochten auch

Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...Lionel Briand
 
Black Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data RetrievalBlack Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data Retrievalqqlan
 
SSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAPSSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAPERPScan
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngDmitry Evteev
 
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)OWASP Ottawa
 
Xml external entities [xxe]
Xml external entities [xxe]Xml external entities [xxe]
Xml external entities [xxe]mattymcfatty
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath InjectionsAMol NAik
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)Bernardo Damele A. G.
 
Gareth hayes. non alphanumeric javascript-php and shared fuzzing
Gareth hayes. non alphanumeric javascript-php and shared fuzzingGareth hayes. non alphanumeric javascript-php and shared fuzzing
Gareth hayes. non alphanumeric javascript-php and shared fuzzingYury Chemerkin
 
VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012Abraham Aranguren
 
CSRF: ways to exploit, ways to prevent
CSRF: ways to exploit, ways to preventCSRF: ways to exploit, ways to prevent
CSRF: ways to exploit, ways to preventPaulius Leščinskas
 
Basic of Ethical Hacking and Penetration Testing - 1st Module
Basic of Ethical Hacking and Penetration Testing - 1st ModuleBasic of Ethical Hacking and Penetration Testing - 1st Module
Basic of Ethical Hacking and Penetration Testing - 1st Moduleankit sarode
 

Andere mochten auch (17)

Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
 
Black Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data RetrievalBlack Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data Retrieval
 
SSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAPSSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAP
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
 
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
 
Xml external entities [xxe]
Xml external entities [xxe]Xml external entities [xxe]
Xml external entities [xxe]
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath Injections
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
 
Gareth hayes. non alphanumeric javascript-php and shared fuzzing
Gareth hayes. non alphanumeric javascript-php and shared fuzzingGareth hayes. non alphanumeric javascript-php and shared fuzzing
Gareth hayes. non alphanumeric javascript-php and shared fuzzing
 
VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012
 
CSRF: ways to exploit, ways to prevent
CSRF: ways to exploit, ways to preventCSRF: ways to exploit, ways to prevent
CSRF: ways to exploit, ways to prevent
 
DEfcon15 XXE XXS
DEfcon15 XXE XXSDEfcon15 XXE XXS
DEfcon15 XXE XXS
 
Basic of Ethical Hacking and Penetration Testing - 1st Module
Basic of Ethical Hacking and Penetration Testing - 1st ModuleBasic of Ethical Hacking and Penetration Testing - 1st Module
Basic of Ethical Hacking and Penetration Testing - 1st Module
 

Ähnlich wie XXE Exposed: SQLi, XSS, XXE and XEE against Web Services

The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front endErlend Oftedal
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web SecurityChris Shiflett
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Xlator
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...CODE BLUE
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptDenis Kolegov
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontendOWASP EEE
 
15 owasp top 10 - a3-xss
15 owasp top 10 - a3-xss15 owasp top 10 - a3-xss
15 owasp top 10 - a3-xssappsec
 
Hacking 101 (Session 2)
Hacking 101 (Session 2)Hacking 101 (Session 2)
Hacking 101 (Session 2)Nitroxis Sprl
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application DefenseFrank Kim
 

Ähnlich wie XXE Exposed: SQLi, XSS, XXE and XEE against Web Services (20)

The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front end
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
Complete xss walkthrough
Complete xss walkthroughComplete xss walkthrough
Complete xss walkthrough
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
Secure java script-for-developers
Secure java script-for-developersSecure java script-for-developers
Secure java script-for-developers
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontend
 
15 owasp top 10 - a3-xss
15 owasp top 10 - a3-xss15 owasp top 10 - a3-xss
15 owasp top 10 - a3-xss
 
Hacking 101 (Session 2)
Hacking 101 (Session 2)Hacking 101 (Session 2)
Hacking 101 (Session 2)
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Brakeman
BrakemanBrakeman
Brakeman
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
 
08 ajax
08 ajax08 ajax
08 ajax
 

Mehr von Abraham Aranguren

Why should you do a pentest?
Why should you do a pentest?Why should you do a pentest?
Why should you do a pentest?Abraham Aranguren
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013Abraham Aranguren
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Abraham Aranguren
 
Legal and efficient web app testing without permission
Legal and efficient web app testing without permissionLegal and efficient web app testing without permission
Legal and efficient web app testing without permissionAbraham Aranguren
 
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Abraham Aranguren
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Abraham Aranguren
 
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficBruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficAbraham Aranguren
 

Mehr von Abraham Aranguren (8)

Why should you do a pentest?
Why should you do a pentest?Why should you do a pentest?
Why should you do a pentest?
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
 
Legal and efficient web app testing without permission
Legal and efficient web app testing without permissionLegal and efficient web app testing without permission
Legal and efficient web app testing without permission
 
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011
 
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficBruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
 

Kürzlich hochgeladen

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 

Kürzlich hochgeladen (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

XXE Exposed: SQLi, XSS, XXE and XEE against Web Services

  • 1. XXE Exposed XML eXternalEntity vulnerabilities Armando Romeo – Abraham Aranguren eLearnSecurity SRL www.elearnsecurity.com
  • 3. Page 3 Meet our author Abraham Aranguren Project founder and leader of OWASP OWTF 7+ years in Web App Security research and consulting Speaker at top European IT Security events Co-creator of VSA along with Mario Heiderich and Gareth Heyes Author of Practical Web Defense The most comprehensive training course on web app security Launched in November 2013 Presenter
  • 4. Page 4 Agenda Web Service TypesWeb Service Types SQLi on Web ServicesSQLi on Web Services XSS on Web ServicesXSS on Web Services XXE / XEE on Web ServicesXXE / XEE on Web Services XXE / XEE DemoXXE / XEE Demo Q & AQ & A
  • 5. Page 5 Major Web Service Types: Web Service Types Abbreviation Stands for XML-RPC XML Remote Procedure Call JSON-RPC JSON Remote Procedure Call RPC SOAP Simple Object Access Protocol REST Representational State Transfer BEPL Business Process Execution Language WCF Windows Communication Foundation More in-depth examples, labs, videos, etc. on: «Practical Web Defense» https://www.elearnsecurity.com/PWD
  • 6. Page 6 Basic Example: • «Find a player web service» • Web service returns matches from a database Web Service Example Message: “Find a player” Request “Web service client” Web service server: 1) Search player 2) Return matchesMessage: “Player matches” Response
  • 7. Page 7 In this webinar: • Web service = Process request + Return response • Web service = «the function», «find a player» • Web service type = «the envelope», «HOW to call the function» • Vulnerabilities are often in «the function»: IF SO, Web Service attacks work against ALL types NOT in this webinar: • Vulnerabilities can also be in processing of «the envelope» http://www.ws-attacks.org/ Web Service Types
  • 8. Page 8 “Find a player” in “XML-RPC speak” XML-RPC Request Example POST /xml_rpc_web_service HTTP/1.1 Host: example.com ... <?xml version="1.0" encoding="UTF-8"?> <methodCall> <methodName>FindPlayer</methodName> <params> <param> <value> <string>Simon</string> </value> </param> </params> </methodCall>
  • 9. Page 9 “Find a Player” in “JSON-RPC speak” JSON-RPC Request Example POST /json_rpc_web_service HTTP/1.1 Host: example.com ... { "method": "FindPlayer“, "params": [ "Simon" ], "id": 1 }
  • 10. Page 10 “Find a Player” in “SOAP speak” SOAP Request Example POST /soap_web_service HTTP/1.1 Host: example.com ... <?xml version="1.0" encoding="UTF-8"?> <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:enc="http://www.w3.org/2003/05/soap-encoding" xmlns:ns1="http://example.com/soap_web_service" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <env:Body> <ns1:FindPlayer env:encodingStyle="http://www.w3.org/2003/05/soap-encoding"> <name xsi:type="xsd:string">Simon</name> </ns1:FindPlayer> </env:Body> </env:Envelope>
  • 11. Page 11 «Find a Player» in «RESTful speak» RESTful Request Example GET /restful_web_service/Find_player/Simon HTTP/1.1 Host: example.com ...
  • 12. Page 12 For our purposes: • The function can be the same: «Find a Player» • The attacks can be the same: SQLi, XSS, XXE, etc. • What changes is «the envelope»: «How to invoke the function» In our example: «HOW to call the web service to find a player» Web Service Types: Summary
  • 13. Page 13 Definitions: SQLi = SQL Injection XSS = Cross Site Scripting XXE = XML eXternal Entity What do SQLi, XSS and XXE have in common? • They are all «Injection» attacks • Injection attacks = Number 1 Web Risk https://www.owasp.org/index.php/Top_10_2013-A1-Injection Usual culprits: • String concatenations • XML parsers • Home rolled parsers SQLi, XSS and XXE?
  • 14. Page 14 SQL Injection (SQLi) 101: • User input can change the SQL query • «input» is «injected» into the «SQL query» • Usually due to string concatenations: «SELECT ... WHERE id = input» SQL Injection on Web Services: • Usually the same as SQLi on Web Applications. • Difference = Attack encoded according to «the envelope» Why? Break XML/JSON = Web Service cannot see/process the message REMEMBER: Encoding is easy ☺ https://hackvertor.co.uk/public SQLi on Web Services
  • 15. Page 15 SQLi: XML-RPC Web Service
  • 16. Page 16 POST /xml_rpc_web_service HTTP/1.1 Host: example.com ... <?xml version="1.0" encoding="UTF-8"?> <methodCall><methodName>FindPlayer</methodName> <params> <param> <value> <string>Simon</string> </value> </param> </params> </methodCall> SQLi: Legit XML-RPC Request
  • 17. Page 17 POST /xml_rpc_web_service HTTP/1.1 Host: example.com ... <?xml version="1.0" encoding="UTF-8"?> <methodCall><methodName>FindPlayer</methodName> <params> <param> <value> <string> zz&apos; union all ... </string> </value> </param> </params> </methodCall> SQLi: XML-RPC SQLi Attack
  • 18. Page 18 Query: NOTE: String concatenation! SELECT * FROM players WHERE name LIKE '%{$player}%' Intended usage: • Player: Simon • XML-RPC call snippet: <string>Simon</string> • Query becomes: SELECT * FROM players WHERE name LIKE '%Simon%' SQLi attack: • Player: zz' union all ... • XML-RPC call snippet: NOTE: XML-encoded single quote (') = &apos; <string>zz&apos; union all ... </string> • Query becomes: SELECT * FROM players WHERE name LIKE '%zz' union all ... %' SQLi: XML-RPC Explanation
  • 19. Page 19 Usual SQLi Impact: • The attacker can run arbitrary SQL code • Dumping the whole database, Sometimes code execution, etc. Root cause: Code + Data = Code • Code: SELECT * FROM players WHERE name LIKE '%%' • + Data (i.e. user input): $player • = Code: SELECT * FROM players WHERE name LIKE '%zz' union all ... %‘ • «Data» is executed as «Code» (All Injection attacks work like this) How to fix: Separate «code» from «data» as aggressively as possible • BEST: Bind variables aka «Parameterized queries» Always do this if you can! • 2nd BEST: Escaping Sometimes the only option (think legacy), be careful • 3rd BEST: Strict validation Only do this in addition to binding/escaping • More info: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet SQLi Mitigation: Basics
  • 20. Page 20 REMEMBER: Bind variables > Escaping IF you have to use escaping make sure that: 1) you use the DBMS function for that: i.e. Escape MySQL using a MySQL-specific function, etc. AND 2) You put quotes around the value you are escaping! Our example: Could be fixed, using escaping, like: SQLi Mitigation: On Escaping
  • 21. Page 21 XSS Intro Three major types of XSS: • (Server-Side) Reflected: The XSS payload is displayed back from the request • (Server-Side) Stored: The XSS payload is 1) stored –i.e. in a DB- 2) Displayed back • (JavaScript-Side) DOM-based: The XSS payload is evaluated as JavaScript, from JavaScript code Cross Site Scripting (XSS) 101: • User input can change the HTML page OR JavaScript • «input» is «injected» into the «Page» • Run JavaScript under «victim domain» = session hijacking, etc. • Usually due to string concatenations: «<html><body>....input...</body></html>»
  • 22. Page 22 XSS against RESTful web services can sometimes be like XSS on web apps: XSS on RESTful Web Services
  • 23. Page 23 XSS on RESTful Web Services Proof of concept: XSS=$(php -r "echo urlencode("<svg onload=alert(1)>");") curl -i "http://localhost/findplayer/$XSS" OR directly: http://localhost/findplayer/%3Csvg+onload%3Dalert%281%29%3E Returns: HTTP/1.1 200 OK .. Content-Type: text/html Your search: <svg onload=alert(1)>Matches: ... NOTE: Content-Type != text/html on SOAP, XML-RPC, JSON-RPC .. usually ☺
  • 24. Page 24 But, more commonly, XSS on Web Services happens in two stages: 1) The web service saves the data NOT the problem 2) The data is displayed (insecurely) by a web app THE problem XSS on Web Services: • Usually the same as Persistent XSS on Web Applications. • Difference = Attack encoded according to «the envelope» Why? Break XML/JSON = Web Service cannot see/process the message REMEMBER: Encoding is easy ☺ https://hackvertor.co.uk/public XSS on most Web Services
  • 25. Page 25 POST /json_rpc_web_service HTTP/1.1 Host: example.com ... { "method": "FindPlayer“, "params": [ "Simon" ], "id": 1 } JSON-RPC Request Example
  • 26. Page 26 NOTE: Encode according to «the envelope», JSON-RPC = JSON encode XSS=$(php -r "echo json_encode("<svg onload=alert(1)>");"); POST /json_rpc_web_service HTTP/1.1 Host: example.com ... { "method": "FindPlayer“, "params": [ "<svg onload=alert(1)>" ], "id": 1 } JSON-RPC XSS Attack
  • 27. Page 27 XSS Mitigation XSS Mitigation 101: • Solution != Validation (i.e. Business requires «risky» characters, etc.) • Solution = Output Encoding in the right context • ALWAYS use validation in addition to output encoding. • As with all Injection attacks, the problem is when: Code + Input = Code • Usual culprit aka “right place to fix” String concatenations on code that renders/builds HTML/JavaScript NOTE: Usually on the web app, rarely on the web service. • More info (recommended reading): https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention _Cheat_Sheet
  • 28. Page 28 XSS Mitigation Example XSS Mitigation 101 = Output Encoding in the right context, using the relevant platform function for such purpose. i.e. Htmlentities in PHP. Vulnerable example: Fixed example (in this context!): Safe Output: Your search: &lt;svg onload=alert(1)&gt; Matches: ... Unsafe Output: Your search: <svg onload=alert(1)> Matches: ...
  • 29. Page 29 XXE / XEE Intro XML Entity (XXE / XEE) attacks 101: • User input can change the parsed XML, «the XML the app will see» • «input» is «injected» into the «parsed XML» • Usually due to a default XML parser feature: XML (External / Inline) Entities Two major types of atacks: • XXE = Path Traversal = Read system files, source code, etc. • XEE = Denial of Service = Crash the web server Interesting attack variants: • Internal network HTTP requests • PHP / Java wrappers • Remote Code Execution (RCE) in some edge cases • Etc.
  • 30. Page 30 XXE / XEE = Subtle issues XXE / XEE = Attacks against the XML parser, the code might «look safe» Scenario: An NGO builds a «crime report» web service, this allows people to report government abuse crimes anonymously. Code:
  • 31. Page 31 XEE attackXML File XEE = XML Entity Expansion = Denial of Service (DoS) attack Amplified XEE: «The billion laughs attack» / «recursive entity expansion» XML File: It will take … 687 GB of RAM to parse this document .. Recommended watching: http://vimeo.com/73255656
  • 32. Page 32 Intended XML File XML File: Web Service Code: echo "Uploading Crime Report: {$xml->summary}.."; Web Service Output: Uploading Crime Report: Joey is guilty..
  • 33. Page 33 XXE attackXML File XXE = External Entity attack = Path Traversal = Read files, etc. XML File: Web Service Code: echo "Uploading Crime Report: {$xml->summary}.."; Web Service Output: «summary» = «/etc/passwd» via XML parser! Uploading Crime Report: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh…….
  • 34. Page 34 XXE / XEE: Mitigation XXE and XEE attacks mitigation 101: • Disable external entities • Disable DOCTYPE declarations • Prefer SAX over DOM parsers • Validate XML files against schemas • More info (recommended reading, especially links at the end): https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processin g
  • 35. Page 35 XXE / XEE: Mitigation example Vulnerable: $xml = simplexml_load_string($request->getBody()); Fixed: NOTE: Do ALL this before parsing //Fix 1) Disable External Entities: Fixes XXE and *some* XEE libxml_disable_entity_loader(true); //Fix 2) Limit overall XML size: IMPORTANT before Fix 3) if (strlen($xml_string) > (1024 * 5)) die('Sorry, we do not support XML files greater than 5 KBs'); //Fix 3) Forbid DOCTYPE declarations: Fixes XXE and XEE If (preg_match("/<!DOCTYPE/i", preg_replace("/s/", '', $xml_string))) die('Unsupported XML file, sorry'); //NOW we can parse the XML safely ☺ $xml = simplexml_load_string($xml_string);
  • 36. Page 36 XXE / XEE Demo XXE / XEE DEMO Watch it from minute 25 here: https://www.elearnsecurity.com/collateral/webinar/xxe-exposed/ (NOTE: Wait for the video to fully load first)
  • 37. Page 37 Thank you! Armando Romeo armando@elearnsecurity.com Abraham Aranguren abraham@elearnsecurity.com Cool