SlideShare ist ein Scribd-Unternehmen logo

Xxe xml external entity

Als PPTX, PDF herunterladen
heeraj nair
heeraj nair

Cysinfo Talk on XML External Entity Attack

Internet
1 von 28
Web Application Security - Team bi0s © 2017 XXE XML External Entity 25 February 2017 @Team bi0s 1/25 HEERAJ Btech, Third Year, Computer Science Engineering Amrita University
whoami Web Application Security - Team bi0s © 2017 @Team bi0s ➔ Undergraduate Student @ Amrita ➔ Web Security Enthusiast ➔ CTF{flag_seeker} ➔ @heerajnair ➔ ww.i4info.in 2/25
Agenda Web Application Security - Team bi0s © 2017 @Team bi0s ➔Intro to XML & DTD ➔XML Entity ➔Parsing XML ➔Attack Vectors ➔Demo 3/25
XML Web Application Security - Team bi0s © 2017 @Team bi0s ➔EXtensible Markup Language 4/25 Picture:123RF.COM
Where it is used ? Web Application Security - Team bi0s © 2017 @Team bi0s ➔Document Formats ➔Image Formats ➔Configuration Files ➔Network Protocols ➔RSS Feeds … etc . . . 5/25 Picture: c-sharpcorner.com
Document Type Definition Web Application Security - Team bi0s © 2017 @Team bi0s ➔ References an External DTD ➔ Define structure with the list of legal elements 6/25
XML Entity Web Application Security - Team bi0s © 2017 @Team bi0s ➔ Entities help to reduce the entry of repetitive information Output: Writer: Donald Duck. Copyright: bi0s. 7/25
XML Entity Web Application Security - Team bi0s © 2017 @Team bi0s XML Entity Internal Entity External Entity 8/25
Parsing Web Application Security - Team bi0s © 2017 @Team bi0s ➔ Character other than < , > , & , ‘ , “ all are parsable. ➔ PCDATA is text that will be parsed by a parser. ➔ CDATA is text that will not be parsed by a parser. ◆ Ex : <![CDATA[<data>Hello, world!]]> 9/25
Attack’s Possible Web Application Security - Team bi0s © 2017 @Team bi0s ➔ Denial Of Service ➔ Local File Inclusion ➔ SSRF ➔ Internal scans ➔ Rce (Not Always!!!) 10/25
Billion Laughs Attack Web Application Security - Team bi0s © 2017 @Team bi0s ➔ Works by expansion property (Simple code(<1kb) will expand up to 3 gigabytes of memory. 11/25 Website: digitalimprint.com
Attack Vectors Web Application Security - Team bi0s © 2017 @Team bi0s Classic XXE We can view any file which doesn’t contain < , > , & , ‘ , “ as characters. 12/25
13
OFFICE OPEN XML Web Application Security - Team bi0s © 2017 @Team bi0s ➔ Zip archive file containing XML and media files ➔ *.docx , *.xlsx , *.pptx ➔ Developed by Microsoft 14/25
OFFICE OPEN XML Web Application Security - Team bi0s © 2017 @Team bi0s 15/25
OFFICE OPEN XML Web Application Security - Team bi0s © 2017 @Team bi0s ➔ Files in OOXML ◆ /_rels/.rels ◆ [Content_Types].xml ◆ Default Main Document ● /word/document.xml ● /ppt/presentation.xml ● /xl/workbook.xml 16/25
Direct Feedback Channel Web Application Security - Team bi0s © 2017 @Team bi0s What if you are Reading Some configuration files? 17/25
Different Protocols Web Application Security - Team bi0s © 2017 @Team bi0s 18/25 php://filter/convert.base64-encode/resource=/etc/passwd
Direct Feedback Channel Web Application Security - Team bi0s © 2017 @Team bi0s ➔ CDATA very helpful to read web configuration, which contain non parsable characters. But this won’t work !! 19/25
Direct Feedback Channel Web Application Security - Team bi0s © 2017 @Team bi0s 20/25 1. XML Request Parsing Attacker’s Server Host
Direct Feedback Channel Web Application Security - Team bi0s © 2017 @Team bi0s ➔ We have to use Parameter entities ➢ Parameter.dtd 21/25
Out Of Band Channel Web Application Security - Team bi0s © 2017 @Team bi0s 22/25 1. XML Request Parsing Attacker’s Server Host
Out Of Band Channel Web Application Security - Team bi0s © 2017 @Team bi0s ➔ No Direct Feedback Channel 23/25
Demo Web Application Security - Team bi0s © 2017 @Team bi0s XXE Cheat Sheet: http://web-in-security.blogspot.in/2016/03/xxe-cheat-sheet.html 24/25
Solution Web Application Security - Team bi0s © 2017 @Team bi0s ➢ Validation of user input ➢ Turn off external DTD fetching ➢ Disable External Entity Parsing libxml_disable_entity_loader(true);(PHP) 25/25
26
Playing With Content Type Web Application Security - Team bi0s © 2017 @Team bi0s ➔ Server may accept multiple data formats ➔ Results in Json endpoints may be vulnerable to XXE ➔ Content-Type changed to application/xml ➔ JSON has to be converted to XML 27/25
OFFICE OPEN XML Web Application Security - Team bi0s © 2017 @Team bi0s 28/25 Open XML File Container Document Properties Custom Defined XML Comments WordML/ SpreadsheetML etc Embedded Code/Macros Images, Video, Sound Files Charts

Empfohlen

TIBCO BWCE and Netflix' Hystrix Circuit Breaker for Cloud Native Middleware M...
TIBCO BWCE and Netflix' Hystrix Circuit Breaker for Cloud Native Middleware M...TIBCO BWCE and Netflix' Hystrix Circuit Breaker for Cloud Native Middleware M...
TIBCO BWCE and Netflix' Hystrix Circuit Breaker for Cloud Native Middleware M...Kai Wähner
 
canvas fingerprinting,the web never forgets
canvas fingerprinting,the web never forgetscanvas fingerprinting,the web never forgets
canvas fingerprinting,the web never forgetsSri427742
 
When the anonymity ends for darknets - by Denis Makrushin and Maria Garnaeva
When the anonymity ends for darknets - by Denis Makrushin and Maria GarnaevaWhen the anonymity ends for darknets - by Denis Makrushin and Maria Garnaeva
When the anonymity ends for darknets - by Denis Makrushin and Maria GarnaevaEC-Council
 
Ppt kkn 39
Ppt kkn 39Ppt kkn 39
Ppt kkn 39Sri Fatmala
 
333390260 9732-hydraulic-seals-technical-manual
333390260 9732-hydraulic-seals-technical-manual333390260 9732-hydraulic-seals-technical-manual
333390260 9732-hydraulic-seals-technical-manualThriveni Earthmovers Pvt Lmt
 
What Is PRINCE2?
What Is PRINCE2?What Is PRINCE2?
What Is PRINCE2?Edesiri Onatejiroghene Ibru
 
Bmssystem basic-141229052438-conversion-gate02
Bmssystem basic-141229052438-conversion-gate02Bmssystem basic-141229052438-conversion-gate02
Bmssystem basic-141229052438-conversion-gate02manjunatha appaiah
 
XXE - XML External Entity Attack
XXE - XML External Entity Attack XXE - XML External Entity Attack
XXE - XML External Entity Attack Cysinfo Cyber Security Community
 

Empfohlen

TIBCO BWCE and Netflix' Hystrix Circuit Breaker for Cloud Native Middleware M...
TIBCO BWCE and Netflix' Hystrix Circuit Breaker for Cloud Native Middleware M...TIBCO BWCE and Netflix' Hystrix Circuit Breaker for Cloud Native Middleware M...
TIBCO BWCE and Netflix' Hystrix Circuit Breaker for Cloud Native Middleware M...Kai Wähner
 
canvas fingerprinting,the web never forgets
canvas fingerprinting,the web never forgetscanvas fingerprinting,the web never forgets
canvas fingerprinting,the web never forgetsSri427742
 
When the anonymity ends for darknets - by Denis Makrushin and Maria Garnaeva
When the anonymity ends for darknets - by Denis Makrushin and Maria GarnaevaWhen the anonymity ends for darknets - by Denis Makrushin and Maria Garnaeva
When the anonymity ends for darknets - by Denis Makrushin and Maria GarnaevaEC-Council
 
Ppt kkn 39
Ppt kkn 39Ppt kkn 39
Ppt kkn 39Sri Fatmala
 
333390260 9732-hydraulic-seals-technical-manual
333390260 9732-hydraulic-seals-technical-manual333390260 9732-hydraulic-seals-technical-manual
333390260 9732-hydraulic-seals-technical-manualThriveni Earthmovers Pvt Lmt
 
What Is PRINCE2?
What Is PRINCE2?What Is PRINCE2?
What Is PRINCE2?Edesiri Onatejiroghene Ibru
 
Bmssystem basic-141229052438-conversion-gate02
Bmssystem basic-141229052438-conversion-gate02Bmssystem basic-141229052438-conversion-gate02
Bmssystem basic-141229052438-conversion-gate02manjunatha appaiah
 
XXE - XML External Entity Attack
XXE - XML External Entity Attack XXE - XML External Entity Attack
XXE - XML External Entity Attack Cysinfo Cyber Security Community
 
Cas d'usages métiers Letsignit
Cas d'usages métiers LetsignitCas d'usages métiers Letsignit
Cas d'usages métiers LetsignitAnne-Sophie Germain
 
聲寶洗衣機型錄
聲寶洗衣機型錄聲寶洗衣機型錄
聲寶洗衣機型錄julia chuang
 
兒童音樂治療
兒童音樂治療兒童音樂治療
兒童音樂治療Alice Hui-ju Lee
 
EXPERIMENTAL INVESTIGATION OF SUB SOIL PROFILE USING GIS
EXPERIMENTAL INVESTIGATION OF SUB SOIL PROFILE USING GIS EXPERIMENTAL INVESTIGATION OF SUB SOIL PROFILE USING GIS
EXPERIMENTAL INVESTIGATION OF SUB SOIL PROFILE USING GIS IAEME Publication
 
Iec 60255 measuring relays and protection equipment
Iec 60255 measuring relays and protection equipmentIec 60255 measuring relays and protection equipment
Iec 60255 measuring relays and protection equipmentPopa Catalina-Elena
 
201703 EC-CUBE 3.1開発方針説明会:機能カスタマイズ編 01_全体方針
201703 EC-CUBE 3.1開発方針説明会:機能カスタマイズ編 01_全体方針201703 EC-CUBE 3.1開発方針説明会:機能カスタマイズ編 01_全体方針
201703 EC-CUBE 3.1開発方針説明会:機能カスタマイズ編 01_全体方針EC-CUBE
 
Cisco Connect Ottawa 2018 data centre security
Cisco Connect Ottawa 2018 data centre securityCisco Connect Ottawa 2018 data centre security
Cisco Connect Ottawa 2018 data centre securityCisco Canada
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityVikram Nandini
 
PuppetConf 2017 | Adobe Advertising Cloud: A Lean Puppet Workflow to Support ...
PuppetConf 2017 | Adobe Advertising Cloud: A Lean Puppet Workflow to Support ...PuppetConf 2017 | Adobe Advertising Cloud: A Lean Puppet Workflow to Support ...
PuppetConf 2017 | Adobe Advertising Cloud: A Lean Puppet Workflow to Support ...Nicolas Brousse
 
PuppetConf 2017: Adobe Advertising Cloud: Lean Puppet Workflow to Support Mul...
PuppetConf 2017: Adobe Advertising Cloud: Lean Puppet Workflow to Support Mul...PuppetConf 2017: Adobe Advertising Cloud: Lean Puppet Workflow to Support Mul...
PuppetConf 2017: Adobe Advertising Cloud: Lean Puppet Workflow to Support Mul...Puppet
 
Cisco connect winnipeg 2018 we make it simple
Cisco connect winnipeg 2018 we make it simpleCisco connect winnipeg 2018 we make it simple
Cisco connect winnipeg 2018 we make it simpleCisco Canada
 
VA_InterConnect2017
VA_InterConnect2017VA_InterConnect2017
VA_InterConnect2017Canturk Isci
 
Domain Specific Languages and C++ Code Generation
Domain Specific Languages and C++ Code GenerationDomain Specific Languages and C++ Code Generation
Domain Specific Languages and C++ Code GenerationOvidiu Farauanu
 
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...Cisco Canada
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Denim Group
 
iThome Cloud Summit 2017 - 實戰 Hybrid Cloud 管理與安全技術
iThome Cloud Summit 2017 - 實戰 Hybrid Cloud 管理與安全技術 iThome Cloud Summit 2017 - 實戰 Hybrid Cloud 管理與安全技術
iThome Cloud Summit 2017 - 實戰 Hybrid Cloud 管理與安全技術 WAN-HSUAN KUNG
 
Cloud administration
Cloud administrationCloud administration
Cloud administrationAndré Luís Cardoso
 
One Technique, Two Techniques, Red Technique, Blue Technique
One Technique, Two Techniques, Red Technique, Blue TechniqueOne Technique, Two Techniques, Red Technique, Blue Technique
One Technique, Two Techniques, Red Technique, Blue TechniqueDaniel Weiss
 
ibm-zconnect-mule.pdf
ibm-zconnect-mule.pdfibm-zconnect-mule.pdf
ibm-zconnect-mule.pdfLaLa788688
 
Optimizing and Troubleshooting Digital Experience for a Hybrid Workforce
Optimizing and Troubleshooting Digital Experience for a Hybrid WorkforceOptimizing and Troubleshooting Digital Experience for a Hybrid Workforce
Optimizing and Troubleshooting Digital Experience for a Hybrid WorkforceThousandEyes
 
veeam_vbo365_short_deck.pptx
veeam_vbo365_short_deck.pptxveeam_vbo365_short_deck.pptx
veeam_vbo365_short_deck.pptxFadhilMuhammad80
 
Increasing Productivity with End-User Computing Solutions on AWS
Increasing Productivity with End-User Computing Solutions on AWS Increasing Productivity with End-User Computing Solutions on AWS
Increasing Productivity with End-User Computing Solutions on AWSAmazon Web Services
 

Weitere ähnliche Inhalte

Andere mochten auch

聲寶洗衣機型錄
聲寶洗衣機型錄聲寶洗衣機型錄
聲寶洗衣機型錄julia chuang
 
EXPERIMENTAL INVESTIGATION OF SUB SOIL PROFILE USING GIS
EXPERIMENTAL INVESTIGATION OF SUB SOIL PROFILE USING GIS EXPERIMENTAL INVESTIGATION OF SUB SOIL PROFILE USING GIS
EXPERIMENTAL INVESTIGATION OF SUB SOIL PROFILE USING GIS IAEME Publication
 
Iec 60255 measuring relays and protection equipment
Iec 60255 measuring relays and protection equipmentIec 60255 measuring relays and protection equipment
Iec 60255 measuring relays and protection equipmentPopa Catalina-Elena
 
201703 EC-CUBE 3.1開発方針説明会:機能カスタマイズ編 01_全体方針
201703 EC-CUBE 3.1開発方針説明会:機能カスタマイズ編 01_全体方針201703 EC-CUBE 3.1開発方針説明会:機能カスタマイズ編 01_全体方針
201703 EC-CUBE 3.1開発方針説明会:機能カスタマイズ編 01_全体方針EC-CUBE
 

Andere mochten auch (6)

Cas d'usages métiers Letsignit
Cas d'usages métiers LetsignitCas d'usages métiers Letsignit
Cas d'usages métiers Letsignit
 
聲寶洗衣機型錄
聲寶洗衣機型錄聲寶洗衣機型錄
聲寶洗衣機型錄
 
兒童音樂治療
兒童音樂治療兒童音樂治療
兒童音樂治療
 
EXPERIMENTAL INVESTIGATION OF SUB SOIL PROFILE USING GIS
EXPERIMENTAL INVESTIGATION OF SUB SOIL PROFILE USING GIS EXPERIMENTAL INVESTIGATION OF SUB SOIL PROFILE USING GIS
EXPERIMENTAL INVESTIGATION OF SUB SOIL PROFILE USING GIS
 
Iec 60255 measuring relays and protection equipment
Iec 60255 measuring relays and protection equipmentIec 60255 measuring relays and protection equipment
Iec 60255 measuring relays and protection equipment
 
201703 EC-CUBE 3.1開発方針説明会:機能カスタマイズ編 01_全体方針
201703 EC-CUBE 3.1開発方針説明会:機能カスタマイズ編 01_全体方針201703 EC-CUBE 3.1開発方針説明会:機能カスタマイズ編 01_全体方針
201703 EC-CUBE 3.1開発方針説明会:機能カスタマイズ編 01_全体方針
 

Ähnlich wie Xxe xml external entity

Cisco Connect Ottawa 2018 data centre security
Cisco Connect Ottawa 2018 data centre securityCisco Connect Ottawa 2018 data centre security
Cisco Connect Ottawa 2018 data centre securityCisco Canada
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityVikram Nandini
 
PuppetConf 2017 | Adobe Advertising Cloud: A Lean Puppet Workflow to Support ...
PuppetConf 2017 | Adobe Advertising Cloud: A Lean Puppet Workflow to Support ...PuppetConf 2017 | Adobe Advertising Cloud: A Lean Puppet Workflow to Support ...
PuppetConf 2017 | Adobe Advertising Cloud: A Lean Puppet Workflow to Support ...Nicolas Brousse
 
PuppetConf 2017: Adobe Advertising Cloud: Lean Puppet Workflow to Support Mul...
PuppetConf 2017: Adobe Advertising Cloud: Lean Puppet Workflow to Support Mul...PuppetConf 2017: Adobe Advertising Cloud: Lean Puppet Workflow to Support Mul...
PuppetConf 2017: Adobe Advertising Cloud: Lean Puppet Workflow to Support Mul...Puppet
 
Cisco connect winnipeg 2018 we make it simple
Cisco connect winnipeg 2018 we make it simpleCisco connect winnipeg 2018 we make it simple
Cisco connect winnipeg 2018 we make it simpleCisco Canada
 
VA_InterConnect2017
VA_InterConnect2017VA_InterConnect2017
VA_InterConnect2017Canturk Isci
 
Domain Specific Languages and C++ Code Generation
Domain Specific Languages and C++ Code GenerationDomain Specific Languages and C++ Code Generation
Domain Specific Languages and C++ Code GenerationOvidiu Farauanu
 
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...Cisco Canada
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Denim Group
 
iThome Cloud Summit 2017 - 實戰 Hybrid Cloud 管理與安全技術
iThome Cloud Summit 2017 - 實戰 Hybrid Cloud 管理與安全技術 iThome Cloud Summit 2017 - 實戰 Hybrid Cloud 管理與安全技術
iThome Cloud Summit 2017 - 實戰 Hybrid Cloud 管理與安全技術 WAN-HSUAN KUNG
 
One Technique, Two Techniques, Red Technique, Blue Technique
One Technique, Two Techniques, Red Technique, Blue TechniqueOne Technique, Two Techniques, Red Technique, Blue Technique
One Technique, Two Techniques, Red Technique, Blue TechniqueDaniel Weiss
 
ibm-zconnect-mule.pdf
ibm-zconnect-mule.pdfibm-zconnect-mule.pdf
ibm-zconnect-mule.pdfLaLa788688
 
Optimizing and Troubleshooting Digital Experience for a Hybrid Workforce
Optimizing and Troubleshooting Digital Experience for a Hybrid WorkforceOptimizing and Troubleshooting Digital Experience for a Hybrid Workforce
Optimizing and Troubleshooting Digital Experience for a Hybrid WorkforceThousandEyes
 
veeam_vbo365_short_deck.pptx
veeam_vbo365_short_deck.pptxveeam_vbo365_short_deck.pptx
veeam_vbo365_short_deck.pptxFadhilMuhammad80
 
Increasing Productivity with End-User Computing Solutions on AWS
Increasing Productivity with End-User Computing Solutions on AWS Increasing Productivity with End-User Computing Solutions on AWS
Increasing Productivity with End-User Computing Solutions on AWSAmazon Web Services
 
Expand Cloud Foundry for the Enterprise
Expand Cloud Foundry for the EnterpriseExpand Cloud Foundry for the Enterprise
Expand Cloud Foundry for the EnterpriseVMware Tanzu
 
Say Goodbye to Legacy Network File Shares with Amazon WorkDocs Drive (BAP208)...
Say Goodbye to Legacy Network File Shares with Amazon WorkDocs Drive (BAP208)...Say Goodbye to Legacy Network File Shares with Amazon WorkDocs Drive (BAP208)...
Say Goodbye to Legacy Network File Shares with Amazon WorkDocs Drive (BAP208)...Amazon Web Services
 
Cisco connect montreal 2018 secure dc
Cisco connect montreal 2018 secure dcCisco connect montreal 2018 secure dc
Cisco connect montreal 2018 secure dcCisco Canada
 

Ähnlich wie Xxe xml external entity (20)

Cisco Connect Ottawa 2018 data centre security
Cisco Connect Ottawa 2018 data centre securityCisco Connect Ottawa 2018 data centre security
Cisco Connect Ottawa 2018 data centre security
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
 
PuppetConf 2017 | Adobe Advertising Cloud: A Lean Puppet Workflow to Support ...
PuppetConf 2017 | Adobe Advertising Cloud: A Lean Puppet Workflow to Support ...PuppetConf 2017 | Adobe Advertising Cloud: A Lean Puppet Workflow to Support ...
PuppetConf 2017 | Adobe Advertising Cloud: A Lean Puppet Workflow to Support ...
 
PuppetConf 2017: Adobe Advertising Cloud: Lean Puppet Workflow to Support Mul...
PuppetConf 2017: Adobe Advertising Cloud: Lean Puppet Workflow to Support Mul...PuppetConf 2017: Adobe Advertising Cloud: Lean Puppet Workflow to Support Mul...
PuppetConf 2017: Adobe Advertising Cloud: Lean Puppet Workflow to Support Mul...
 
Cisco connect winnipeg 2018 we make it simple
Cisco connect winnipeg 2018 we make it simpleCisco connect winnipeg 2018 we make it simple
Cisco connect winnipeg 2018 we make it simple
 
VA_InterConnect2017
VA_InterConnect2017VA_InterConnect2017
VA_InterConnect2017
 
Domain Specific Languages and C++ Code Generation
Domain Specific Languages and C++ Code GenerationDomain Specific Languages and C++ Code Generation
Domain Specific Languages and C++ Code Generation
 
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
 
iThome Cloud Summit 2017 - 實戰 Hybrid Cloud 管理與安全技術
iThome Cloud Summit 2017 - 實戰 Hybrid Cloud 管理與安全技術 iThome Cloud Summit 2017 - 實戰 Hybrid Cloud 管理與安全技術
iThome Cloud Summit 2017 - 實戰 Hybrid Cloud 管理與安全技術
 
Cloud administration
Cloud administrationCloud administration
Cloud administration
 
One Technique, Two Techniques, Red Technique, Blue Technique
One Technique, Two Techniques, Red Technique, Blue TechniqueOne Technique, Two Techniques, Red Technique, Blue Technique
One Technique, Two Techniques, Red Technique, Blue Technique
 
ibm-zconnect-mule.pdf
ibm-zconnect-mule.pdfibm-zconnect-mule.pdf
ibm-zconnect-mule.pdf
 
Optimizing and Troubleshooting Digital Experience for a Hybrid Workforce
Optimizing and Troubleshooting Digital Experience for a Hybrid WorkforceOptimizing and Troubleshooting Digital Experience for a Hybrid Workforce
Optimizing and Troubleshooting Digital Experience for a Hybrid Workforce
 
veeam_vbo365_short_deck.pptx
veeam_vbo365_short_deck.pptxveeam_vbo365_short_deck.pptx
veeam_vbo365_short_deck.pptx
 
Increasing Productivity with End-User Computing Solutions on AWS
Increasing Productivity with End-User Computing Solutions on AWS Increasing Productivity with End-User Computing Solutions on AWS
Increasing Productivity with End-User Computing Solutions on AWS
 
Expand Cloud Foundry for the Enterprise
Expand Cloud Foundry for the EnterpriseExpand Cloud Foundry for the Enterprise
Expand Cloud Foundry for the Enterprise
 
Say Goodbye to Legacy Network File Shares with Amazon WorkDocs Drive (BAP208)...
Say Goodbye to Legacy Network File Shares with Amazon WorkDocs Drive (BAP208)...Say Goodbye to Legacy Network File Shares with Amazon WorkDocs Drive (BAP208)...
Say Goodbye to Legacy Network File Shares with Amazon WorkDocs Drive (BAP208)...
 
Cisco connect montreal 2018 secure dc
Cisco connect montreal 2018 secure dcCisco connect montreal 2018 secure dc
Cisco connect montreal 2018 secure dc
 
Check Point and Cisco: Securing the Private Cloud
Check Point and Cisco: Securing the Private CloudCheck Point and Cisco: Securing the Private Cloud
Check Point and Cisco: Securing the Private Cloud
 

Kürzlich hochgeladen

VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...aditipandeya
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Servicesexy call girls service in goa
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Servicegwenoracqe6
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 

Kürzlich hochgeladen (20)

VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 

Xxe xml external entity

  • 1. Web Application Security - Team bi0s © 2017 XXE XML External Entity 25 February 2017 @Team bi0s 1/25 HEERAJ Btech, Third Year, Computer Science Engineering Amrita University
  • 2. whoami Web Application Security - Team bi0s © 2017 @Team bi0s ➔ Undergraduate Student @ Amrita ➔ Web Security Enthusiast ➔ CTF{flag_seeker} ➔ @heerajnair ➔ ww.i4info.in 2/25
  • 3. Agenda Web Application Security - Team bi0s © 2017 @Team bi0s ➔Intro to XML & DTD ➔XML Entity ➔Parsing XML ➔Attack Vectors ➔Demo 3/25
  • 4. XML Web Application Security - Team bi0s © 2017 @Team bi0s ➔EXtensible Markup Language 4/25 Picture:123RF.COM
  • 5. Where it is used ? Web Application Security - Team bi0s © 2017 @Team bi0s ➔Document Formats ➔Image Formats ➔Configuration Files ➔Network Protocols ➔RSS Feeds … etc . . . 5/25 Picture: c-sharpcorner.com
  • 6. Document Type Definition Web Application Security - Team bi0s © 2017 @Team bi0s ➔ References an External DTD ➔ Define structure with the list of legal elements 6/25
  • 7. XML Entity Web Application Security - Team bi0s © 2017 @Team bi0s ➔ Entities help to reduce the entry of repetitive information Output: Writer: Donald Duck. Copyright: bi0s. 7/25
  • 8. XML Entity Web Application Security - Team bi0s © 2017 @Team bi0s XML Entity Internal Entity External Entity 8/25
  • 9. Parsing Web Application Security - Team bi0s © 2017 @Team bi0s ➔ Character other than < , > , & , ‘ , “ all are parsable. ➔ PCDATA is text that will be parsed by a parser. ➔ CDATA is text that will not be parsed by a parser. ◆ Ex : <![CDATA[<data>Hello, world!]]> 9/25
  • 10. Attack’s Possible Web Application Security - Team bi0s © 2017 @Team bi0s ➔ Denial Of Service ➔ Local File Inclusion ➔ SSRF ➔ Internal scans ➔ Rce (Not Always!!!) 10/25
  • 11. Billion Laughs Attack Web Application Security - Team bi0s © 2017 @Team bi0s ➔ Works by expansion property (Simple code(<1kb) will expand up to 3 gigabytes of memory. 11/25 Website: digitalimprint.com
  • 12. Attack Vectors Web Application Security - Team bi0s © 2017 @Team bi0s Classic XXE We can view any file which doesn’t contain < , > , & , ‘ , “ as characters. 12/25
  • 13. 13
  • 14. OFFICE OPEN XML Web Application Security - Team bi0s © 2017 @Team bi0s ➔ Zip archive file containing XML and media files ➔ *.docx , *.xlsx , *.pptx ➔ Developed by Microsoft 14/25
  • 15. OFFICE OPEN XML Web Application Security - Team bi0s © 2017 @Team bi0s 15/25
  • 16. OFFICE OPEN XML Web Application Security - Team bi0s © 2017 @Team bi0s ➔ Files in OOXML ◆ /_rels/.rels ◆ [Content_Types].xml ◆ Default Main Document ● /word/document.xml ● /ppt/presentation.xml ● /xl/workbook.xml 16/25
  • 17. Direct Feedback Channel Web Application Security - Team bi0s © 2017 @Team bi0s What if you are Reading Some configuration files? 17/25
  • 18. Different Protocols Web Application Security - Team bi0s © 2017 @Team bi0s 18/25 php://filter/convert.base64-encode/resource=/etc/passwd
  • 19. Direct Feedback Channel Web Application Security - Team bi0s © 2017 @Team bi0s ➔ CDATA very helpful to read web configuration, which contain non parsable characters. But this won’t work !! 19/25
  • 20. Direct Feedback Channel Web Application Security - Team bi0s © 2017 @Team bi0s 20/25 1. XML Request Parsing Attacker’s Server Host
  • 21. Direct Feedback Channel Web Application Security - Team bi0s © 2017 @Team bi0s ➔ We have to use Parameter entities ➢ Parameter.dtd 21/25
  • 22. Out Of Band Channel Web Application Security - Team bi0s © 2017 @Team bi0s 22/25 1. XML Request Parsing Attacker’s Server Host
  • 23. Out Of Band Channel Web Application Security - Team bi0s © 2017 @Team bi0s ➔ No Direct Feedback Channel 23/25
  • 24. Demo Web Application Security - Team bi0s © 2017 @Team bi0s XXE Cheat Sheet: http://web-in-security.blogspot.in/2016/03/xxe-cheat-sheet.html 24/25
  • 25. Solution Web Application Security - Team bi0s © 2017 @Team bi0s ➢ Validation of user input ➢ Turn off external DTD fetching ➢ Disable External Entity Parsing libxml_disable_entity_loader(true);(PHP) 25/25
  • 26. 26
  • 27. Playing With Content Type Web Application Security - Team bi0s © 2017 @Team bi0s ➔ Server may accept multiple data formats ➔ Results in Json endpoints may be vulnerable to XXE ➔ Content-Type changed to application/xml ➔ JSON has to be converted to XML 27/25
  • 28. OFFICE OPEN XML Web Application Security - Team bi0s © 2017 @Team bi0s 28/25 Open XML File Container Document Properties Custom Defined XML Comments WordML/ SpreadsheetML etc Embedded Code/Macros Images, Video, Sound Files Charts

Hinweis der Redaktion

  1. RSS/xhtml/svg/opendocument/kml/xslt/soap/saml… And Many more are written in XML
  2. Defines the structure, attributes and the legal elements of XML #PCDATA - parsable text data Note defines this must contain to, from, heading,body
  3. Used to include some documents
  4. Public and SYSTEM are the 2 external entities.
  5. Dos( by reading /dev/zero loops
  6. Found Long back in 2002
  7. File that are present in the zip archive
  8. File that are present in the zip archive
  9. But this will not work with the above example, we get the error: “XML document structures must start and end within the same entity.”
  10. In the first case it was from same dtd Here we have used different dtd
  11. In the first case it was from same dtd Here we have used different dtd
  12. In the first case it was from same dtd Here we have used different dtd
  13. In the first case it was from same dtd Here we have used different dtd
  14. File that are present in the zip archive
  15. File that are present in the zip archive
  16. File that are present in the zip archive