Project: WASC Threat Classification
Threat Type: Attack
Reference ID: WASC-23
XML Injection
XML Injection is an attack technique used to manipulate or compromise the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter the intend logic of the application. Further, XML injection can cause the insertion of malicious content into the resulting message/document.
An example of XML injection to include insertion of full XML structures:
Consider this example XML document:
<?xml version="1.0" encoding="ISO-8859-1"?>
<users>
<user>
<uname>joepublic</uname>
<pwd>r3g</pwd>
<uid>0<uid/>
<mail>joepublic@example1.com</mail>
</user>
<user>
<uname>janedoe</uname>
<pwd>an0n</pwd>
<uid>500<uid/>
<mail>janedoe@example2.com</mail>
</user>
</users>
If the attacker were to inject the following values for a new user 'tony':
Username: alice
Password: iluvbob
E-mail: alice@example3.com</mail></user><user><uname>Hacker</uname><pwd>l33tist</pwd><uid>0</uid><mail>hacker@exmaple_evil.net</mail>
Then the resulting XML document would be:
<?xml version="1.0" encoding="ISO-8859-1"?>
<users>
<user>
<uname>joepublic</uname>
<pwd>r3g</pwd>
<uid>0</uid>
<mail>joepublic@example.com</mail>
</user>
<user>
<uname>janedoe</uname>
<pwd>an0n</pwd>
<uid>500</uid>
<mail>janedoe@example2.hmm</mail>
</user>
<user>
<uname>alice</uname>
<pwd>iluvbob</pwd>
<uid>500</uid>
<mail>alice@exmaple3.com</mail></user><user><uname>Hacker</uname><pwd>l33tist</pwd><uid>0</uid>
<mail>hacker@exmaple_evil.net</mail>
</user>
</users>
In this example a new user (Hacker) will be inserted into the table with user ID 0. In many cases with XML applications, the second user ID instance will override the first. This results in the injected new user 'Hacker' being logged in with userid=0 (which often is used as the administrator uid).
Another type of XML injection is where CDATA elements are used to insert malicious content. One example of this is where XML message payloads that contain a CDATA field can be used to inject illegal characters/content that are ignored by the XML parser.
<HTML>
<![CDATA[<IMG SRC=http://www.exmaple.com/logo.gif onmouseover=javascript:alert('Attack');>]]>
</HTML>
In this example an XML/HTML application can be exposed to an XSS vulnerability. This state is achieved because the CDATA content is unparsed and therefore will be missed by schema validation based input validation filters.
References
Testing for XML Injection - OWASP Testing Guide v2, Open Web Application Security Project (OWASP)
[1] http://www.owasp.org/index.php/Testing_for_XML_Injection
XML injection attack through SOAP based web services, Ravikanth
[2] http://weblogs.asp.net/dvravikanth/archive/2006/01/30/436866.aspx
Threat Protection in a Service Oriented World, Andre Yee NFR Security
[3] http://www.unatekconference.com/images/pdfs/presentations/Yee.pdf
Attacking and Defending Web Services, Pete Lindstrom Spire Security, LLC
[4] http://www.forumsys.com/resources/resources/whitepapers/Attacking_and_Defending_WS.pdf
The SOA/XML Threat Model and New XML/SOA/Web 2.0 Attacks & Threats (Defcon 15), Steve Orrin SSG-SPI Intel Corp.
[5] http://www.safesoa.org/data/dc-15-Orrin-v2.pdf
"Attacking Web Services", Alex Stamos
[6] http://www.owasp.org/images/d/d1/AppSec2005DC-Alex_Stamos-Attacking_Web_Services.ppt
Comments (0)
You don't have permission to comment on this page.