Lesser Known Injections XML Injections AMol NAik About

Lesser Known Injections XML Injections AMol NAik

About me Web Application Pentester. Core member of Garage 4 Hackers. Bounty Hunter in past. Currently fuzzing browsers for Fun & Profit

Garage 4 Hackers Family of 3, 800, posts 8 k+40+ best Bug Bounty submissions 15+ browser bugs in Chrome, IE, FF & Safari. ASLR bypass method presented at Can. Sec. West was already shared on G 4 H forum 5+ Information Security Research (cable TV & Datacard)10+ Tools & scripts, 1+ Web application CTFRanchhoddas Webcast Series – 5+ webinars. Follow us on Twitter @garage 4 hackers

Agenda XML Basic. XML Injection. XXE Attack. XPath Basics. XPath Injections

XXE is a the new SQL Injection - Someone on Twitter

XML Injection in Real-World Yandex pwned for $5000 with XXE by @d 0 znpp. Open. ID XXE by Reginaldo Silva. Multiple XXE bugs by @Securatary team. XXE in Google Toolbar by Detectify team - $10 k

XML Basics

XML Basics e. Xtensible Markup Language. Flexible textbased format. Presents structured info. Used for Data Exchange/Storage

XML Components

XML – CDATA Section Tells parser not to use markup for characters in this section. Examples:

XML Injections

XML Injections Injection Points

XML Injection – Node Attribute

XML Injection – Node Attribute

XML Injection – Node Value

XML Injection – Node Value

XML Injection – CDATA Section

XML Injection – CDATA Section

XXE Attack

XML Entity Variable. Define Can be Internal/External

XML Entity

XXE Attack

XPath Basics Language to select XML Nodes. Formats XML data as tree-structured values. Similar as SQL (in some sense)

XPath Syntax Uses path expressions to select nodes or node -sets in an xml document Expression Description nodename Selects all child nodes of the named node / Selects from root node // Selects nodes from the current node that match the selection no matter where they are . Selects current node . . Selects parent of the current node

XPath Predicates Used to find a specific node or a node that contain specific value. Always embedded in square brackets

XPath Predicates Expression Result /Employees/Employee[1] Selects first ‘Employee’ element that is the child of ‘Employees’ element /Employees/Employee[last()] Selects last ‘Employee’ element that is the child of ‘Employees’ element /Employees/Employee[position()<3] Selects first 2 ‘Employee’ elements that are children of Employees element //Employee[@ID=‘ 1’] Selects all the ‘Employee’ elements that have an attribute named ‘ID’ with a value of ‘ 1’

XPath Location Path Syntax: axisname: : nodetest[predicate]

XPath Location Path Example Result child: : Employee Selects all ‘Employee’ node that are children of the current node attribute: : id Selects the id attribute of the current node child: : * Selects all children of the current node attribute: : * Selects all attributes of the current node child: : text() Selects all text child nodes of the current node child: : node() Selects all child nodes of the current node descendant: : Employees Selects all ‘Employees’ descendants of the current node

XPath Injection XPath Query: /Employees/Employee[User. Name/text() = ‘user’ and Password/text() = ‘passwd’]/Type/text()

XPath Injection No User. Name & Password known:

XPath Injection User. Name known: /Employees/Employee[User. Name/text() = ‘mbrown’ or ‘ 1’=‘ 1’ and Password/text() = ‘anything’]Type/text()

XPath Injection No User. Name & Password known & Password is not vulnerable:

Conclusion XML Injections are ignored. Many sites having these issues

That's It !! AMol NAik @amolnaik 4 mailto: amolnaik 4@garage 4 hackers. com

References XPath Injection. Hacking XPath 2. 0 Blind XPath Injection