xxe exposed: sqli, xss, xxe and xee against web services
DESCRIPTION
XXE Exposed Webinar Slides: Brief coverage of SQLi and XSS against Web Services to then talk about XXE and XEE attacks and mitigation. Heavily inspired on the "Practical Web Defense" (PWD) style of pwnage + fixing (https://www.elearnsecurity.com/PWD) Full recording here: NOTE: (~20 minute) XXE + XEE Demo Recording starts at minute 25 https://www.elearnsecurity.com/collateral/webinar/xxe-exposed/TRANSCRIPT
XXE ExposedXML eXternal Entity vulnerabilities
Armando Romeo – Abraham Aranguren
eLearnSecurity SRL
www.elearnsecurity.com
Page � 2
MENU
IntroductionIntroduction
DEMODEMO
Q/A + SurpriseQ/A + Surprise
Page � 3
Meet our author Abraham ArangurenProject founder and leader of OWASP OWTF
7+ years in Web App Security research and consulting
Speaker at top European IT Security events
Co-creator of VSA along with Mario Heiderich and Gareth Heyes
Author of Practical Web DefenseThe most comprehensive training course on web app security
Launched in November 2013
Presenter
Page � 4
Agenda
Web Service TypesWeb Service Types
SQLi on Web ServicesSQLi on Web Services
XSS on Web ServicesXSS on Web Services
XXE / XEE on Web ServicesXXE / XEE on Web Services
XXE / XEE DemoXXE / XEE Demo
Q & AQ & A
Page � 5
Major Web Service Types:
Web Service Types
Abbreviation Stands for
XML-RPC XML Remote Procedure Call
JSON-RPC JSON Remote Procedure Call RPC
SOAP Simple Object Access Protocol
REST Representational State Transfer
BEPL Business Process Execution Language
WCF Windows Communication Foundation
More in-depth examples, labs, videos, etc. on:
«Practical Web Defense»
https://www.elearnsecurity.com/PWD
Page � 6
Basic Example:
• «Find a player web service»
• Web service returns matches from a database
Web Service Example
Message:
“Find a player”
Request
“Web service client” Web service server:
1) Search player
2) Return matchesMessage:
“Player matches”
Response
Page � 7
In this webinar:
• Web service = Process request + Return response
• Web service = «the function», «find a player»
• Web service type = «the envelope», «HOW to call the function»
• Vulnerabilities are often in «the function»:
IF SO, Web Service attacks work against ALL types
NOT in this webinar:
• Vulnerabilities can also be in processing of «the envelope»
http://www.ws-attacks.org/
Web Service Types
Page � 8
“Find a player” in “XML-RPC speak”
XML-RPC Request Example
POST /xml_rpc_web_service HTTP/1.1
Host: example.com
...
<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>FindPlayer</methodName><params>
<param>
<value>
<string>Simon</string></value>
</param>
</params>
</methodCall>
Page � 9
“Find a Player” in “JSON-RPC speak”
JSON-RPC Request Example
POST /json_rpc_web_service HTTP/1.1
Host: example.com
...
{
"method": "FindPlayer“,
"params": [ "Simon" ], "id": 1
}
Page � 10
“Find a Player” in “SOAP speak”
SOAP Request Example
POST /soap_web_service HTTP/1.1
Host: example.com
...
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope"
xmlns:enc="http://www.w3.org/2003/05/soap-encoding"
xmlns:ns1="http://example.com/soap_web_service"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<ns1:FindPlayer env:encodingStyle="http://www.w3.org/2003/05/soap-encoding">
<name xsi:type="xsd:string">Simon</name></ns1:FindPlayer>
</env:Body>
</env:Envelope>
Page � 11
«Find a Player» in «RESTful speak»
RESTful Request Example
GET /restful_web_service/Find_player/SimonHTTP/1.1
Host: example.com
...
Page � 12
For our purposes:
• The function can be the same:
«Find a Player»
• The attacks can be the same:
SQLi, XSS, XXE, etc.
• What changes is «the envelope»:
«How to invoke the function»
In our example:
«HOW to call the web service to find a player»
Web Service Types: Summary
Page � 13
Definitions:
SQLi = SQL Injection
XSS = Cross Site Scripting
XXE = XML eXternal Entity
What do SQLi, XSS and XXE have in common?
• They are all «Injection» attacks
• Injection attacks = Number 1 Web Risk
https://www.owasp.org/index.php/Top_10_2013-A1-Injection
Usual culprits:
• String concatenations
• XML parsers
• Home rolled parsers
SQLi, XSS and XXE?
Page � 14
SQL Injection (SQLi) 101:
• User input can change the SQL query
• «input» is «injected» into the «SQL query»
• Usually due to string concatenations:
«SELECT ... WHERE id = input»
SQL Injection on Web Services:
• Usually the same as SQLi on Web Applications.
• Difference = Attack encoded according to «the envelope»
Why?
Break XML/JSON = Web Service cannot see/process the message
REMEMBER: Encoding is easy ☺
https://hackvertor.co.uk/public
SQLi on Web Services
Page � 15
SQLi: XML-RPC Web Service
Page � 16
POST /xml_rpc_web_service HTTP/1.1
Host: example.com
...
<?xml version="1.0" encoding="UTF-8"?>
<methodCall><methodName>FindPlayer</methodName><params>
<param>
<value>
<string>Simon</string></value>
</param>
</params>
</methodCall>
SQLi: Legit XML-RPC Request
Page � 17
POST /xml_rpc_web_service HTTP/1.1
Host: example.com
...
<?xml version="1.0" encoding="UTF-8"?>
<methodCall><methodName>FindPlayer</methodName><params>
<param>
<value>
<string>
zz' union all ...
</string>
</value>
</param>
</params>
</methodCall>
SQLi: XML-RPC SQLi Attack
Page � 18
Query:
NOTE: String concatenation!
SELECT * FROM players WHERE name LIKE '%{$player}%'
Intended usage:
• Player: Simon
• XML-RPC call snippet:
<string>Simon</string>
• Query becomes:
SELECT * FROM players WHERE name LIKE '%Simon%'
SQLi attack:• Player: zz' union all ...
• XML-RPC call snippet:
NOTE: XML-encoded single quote (') = '
<string>zz' union all ... </string>
• Query becomes:
SELECT * FROM players WHERE name LIKE '%zz' union all ... %'
SQLi: XML-RPC Explanation
Page � 19
Usual SQLi Impact:
• The attacker can run arbitrary SQL code
• Dumping the whole database, Sometimes code execution, etc.
Root cause: Code + Data = Code
• Code: SELECT * FROM players WHERE name LIKE '%%'
• + Data (i.e. user input): $player
• = Code: SELECT * FROM players WHERE name LIKE '%zz' union all ... %‘
• «Data» is executed as «Code» (All Injection attacks work like this)
How to fix: Separate «code» from «data» as aggressively as possible
• BEST: Bind variables aka «Parameterized queries» � Always do this if you can!
• 2nd BEST: Escaping � Sometimes the only option (think legacy), be careful
• 3rd BEST: Strict validation � Only do this in addition to binding/escaping
• More info:
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
SQLi Mitigation: Basics
Page � 20
REMEMBER: Bind variables > Escaping
IF you have to use escaping make sure that:
1) you use the DBMS function for that:
i.e. Escape MySQL using a MySQL-specific function, etc.
AND
2) You put quotes around the value you are escaping!
Our example:
Could be fixed, using escaping, like:
SQLi Mitigation: On Escaping
Page � 21
XSS Intro
Three major types of XSS:
• (Server-Side) Reflected:
The XSS payload is displayed back from the request
• (Server-Side) Stored:
The XSS payload is
1) stored –i.e. in a DB-
2) Displayed back
• (JavaScript-Side) DOM-based:
The XSS payload is evaluated as JavaScript, from JavaScript code
Cross Site Scripting (XSS) 101:
• User input can change the HTML page OR JavaScript
• «input» is «injected» into the «Page»
• Run JavaScript under «victim domain» = session hijacking, etc.
• Usually due to string concatenations:
«<html><body>....input...</body></html>»
Page � 22
XSS against RESTful web services can sometimes be like XSS on web apps:
XSS on RESTful Web Services
Page � 23
XSS on RESTful Web ServicesProof of concept:
XSS=$(php -r "echo urlencode(\"<svg onload=alert(1)>\");")
curl -i "http://localhost/findplayer/$XSS"
OR directly:
http://localhost/findplayer/%3Csvg+onload%3Dalert%281%29%3E
Returns:
HTTP/1.1 200 OK
..
Content-Type: text/html
Your search: <svg onload=alert(1)>Matches: ...
NOTE:
Content-Type != text/html on SOAP, XML-RPC, JSON-RPC .. usually ☺
Page � 24
But, more commonly, XSS on Web Services happens in two stages:
1) The web service saves the data � NOT the problem
2) The data is displayed (insecurely) by a web app � THE problem
XSS on Web Services:
• Usually the same as Persistent XSS on Web Applications.
• Difference = Attack encoded according to «the envelope»
Why?
Break XML/JSON = Web Service cannot see/process the message
REMEMBER: Encoding is easy ☺
https://hackvertor.co.uk/public
XSS on most Web Services
Page � 25
POST /json_rpc_web_service HTTP/1.1
Host: example.com
...
{
"method": "FindPlayer“,
"params": [ "Simon" ], "id": 1
}
JSON-RPC Request Example
Page � 26
NOTE: Encode according to «the envelope», JSON-RPC = JSON encode
XSS=$(php -r "echo json_encode(\"<svg onload=alert(1)>\");");
POST /json_rpc_web_service HTTP/1.1
Host: example.com
...
{
"method": "FindPlayer“,
"params": [ "<svg onload=alert(1)>" ],
"id": 1
}
JSON-RPC XSS Attack
Page � 27
XSS MitigationXSS Mitigation 101:
• Solution != Validation (i.e. Business requires «risky» characters, etc.)
• Solution = Output Encoding in the right context
• ALWAYS use validation in addition to output encoding.
• As with all Injection attacks, the problem is when:
Code + Input = Code
• Usual culprit aka “right place to fix”
String concatenations on code that renders/builds HTML/JavaScript
NOTE: Usually on the web app, rarely on the web service.
• More info (recommended reading):
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention
_Cheat_Sheet
Page � 28
XSS Mitigation ExampleXSS Mitigation 101 = Output Encoding in the right context, using the
relevant platform function for such purpose. i.e. Htmlentities in PHP.
Vulnerable example:
Fixed example (in this context!):
Safe Output:
Your search: <svg onload=alert(1)> Matches: ...
Unsafe Output:
Your search: <svg onload=alert(1)> Matches: ...
Page � 29
XXE / XEE IntroXML Entity (XXE / XEE) attacks 101:
• User input can change the parsed XML, «the XML the app will see»
• «input» is «injected» into the «parsed XML»
• Usually due to a default XML parser feature:
XML (External / Inline) Entities
Two major types of atacks:
• XXE = Path Traversal = Read system files, source code, etc.
• XEE = Denial of Service = Crash the web server
Interesting attack variants:
• Internal network HTTP requests
• PHP / Java wrappers
• Remote Code Execution (RCE) in some edge cases
• Etc.
Page � 30
XXE / XEE = Subtle issuesXXE / XEE = Attacks against the XML parser, the code might «look safe»
Scenario:
An NGO builds a «crime report» web service, this allows people to report
government abuse crimes anonymously.
Code:
Page � 31
XEE attack XML FileXEE = XML Entity Expansion = Denial of Service (DoS) attack
Amplified XEE: «The billion laughs attack» / «recursive entity expansion»
XML File:
It will take … 687 GB of RAM to parse this document ..
Recommended watching: http://vimeo.com/73255656
Page � 32
Intended XML FileXML File:
Web Service Code:
echo "Uploading Crime Report: {$xml->summary}..";
Web Service Output:
Uploading Crime Report: Joey is guilty..
Page � 33
XXE attack XML FileXXE = External Entity attack = Path Traversal = Read files, etc.
XML File:
Web Service Code:
echo "Uploading Crime Report: {$xml->summary}..";
Web Service Output: � «summary» = «/etc/passwd» via XML parser!
Uploading Crime Report: root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh…….
Page � 34
XXE / XEE: MitigationXXE and XEE attacks mitigation 101:
• Disable external entities
• Disable DOCTYPE declarations
• Prefer SAX over DOM parsers
• Validate XML files against schemas
• More info (recommended reading, especially links at the end):
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processin
g
Page � 35
XXE / XEE: Mitigation exampleVulnerable:
$xml = simplexml_load_string($request->getBody());
Fixed:
NOTE: Do ALL this before parsing//Fix 1) Disable External Entities: Fixes XXE and *some* XEE
libxml_disable_entity_loader(true);
//Fix 2) Limit overall XML size: IMPORTANT before Fix 3)
if (strlen($xml_string) > (1024 * 5))
die('Sorry, we do not support XML files greater than 5
KBs');
//Fix 3) Forbid DOCTYPE declarations: Fixes XXE and XEE
If (preg_match("/<!DOCTYPE/i", preg_replace("/\s/", '',
$xml_string)))
die('Unsupported XML file, sorry');
//NOW we can parse the XML safely ☺
$xml = simplexml_load_string($xml_string);
Page � 36
XXE / XEE Demo
XXE / XEE
DEMOWatch it from minute 25 here:
https://www.elearnsecurity.com/collateral/webinar/xxe-exposed/
(NOTE: Wait for the video to fully load first)