• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!

View
 

XML Injection

Page history last edited by Robert Auger 14 years, 2 months ago

Project: WASC Threat Classification

Threat Type: Attack

Reference ID: WASC-23

 

XML Injection

XML Injection is an attack technique used to manipulate or compromise the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter the intend logic of the application. Further, XML injection can cause the insertion of malicious content into the resulting message/document.

 

An example of XML injection to include insertion of full XML structures:

Consider this example XML document:

<?xml version="1.0" encoding="ISO-8859-1"?> 
<users> 
	<user> 
	       <uname>joepublic</uname> 
	       <pwd>r3g</pwd> 
	       <uid>0<uid/>
	       <mail>joepublic@example1.com</mail>
	</user> 
	<user> 
	       <uname>janedoe</uname> 
	       <pwd>an0n</pwd> 
	       <uid>500<uid/>
	       <mail>janedoe@example2.com</mail>
	</user> 
</users>

If the attacker were to inject the following values for a new user 'tony':


Username: alice
Password: iluvbob
E-mail: alice@example3.com</mail></user><user><uname>Hacker</uname><pwd>l33tist</pwd><uid>0</uid><mail>hacker@exmaple_evil.net</mail> 

 

Then the resulting XML document would be:

<?xml version="1.0" encoding="ISO-8859-1"?> 
<users> 
	<user> 
	       <uname>joepublic</uname> 
	       <pwd>r3g</pwd> 
	       <uid>0</uid>
	       <mail>joepublic@example.com</mail>
	</user> 
	<user> 
	       <uname>janedoe</uname> 
	       <pwd>an0n</pwd> 
	       <uid>500</uid>
	       <mail>janedoe@example2.hmm</mail>
	</user> 
	<user> 
	       <uname>alice</uname> 
	       <pwd>iluvbob</pwd> 
	       <uid>500</uid>              
	       <mail>alice@exmaple3.com</mail></user><user><uname>Hacker</uname><pwd>l33tist</pwd><uid>0</uid>
                <mail>hacker@exmaple_evil.net</mail>
	</user> 
</users>

In this example a new user (Hacker) will be inserted into the table with user ID 0. In many cases with XML applications, the second user ID instance will override the first. This results in the injected new user 'Hacker' being logged in with userid=0 (which often is used as the administrator uid).

Another type of XML injection is where CDATA elements are used to insert malicious content. One example of this is where XML message payloads that contain a CDATA field can be used to inject illegal characters/content that are ignored by the XML parser.


<HTML>
<![CDATA[<IMG SRC=http://www.exmaple.com/logo.gif onmouseover=javascript:alert('Attack');>]]>
</HTML>

 

In this example an XML/HTML application can be exposed to an XSS vulnerability. This state is achieved because the CDATA content is unparsed and therefore will be missed by schema validation based input validation filters.

 

References

Testing for XML Injection - OWASP Testing Guide v2, Open Web Application Security Project (OWASP)

[1] http://www.owasp.org/index.php/Testing_for_XML_Injection

 

XML injection attack through SOAP based web services, Ravikanth

[2] http://weblogs.asp.net/dvravikanth/archive/2006/01/30/436866.aspx

 

Threat Protection in a Service Oriented World, Andre Yee NFR Security

[3] http://www.unatekconference.com/images/pdfs/presentations/Yee.pdf

 

Attacking and Defending Web Services, Pete Lindstrom Spire Security, LLC

[4] http://www.forumsys.com/resources/resources/whitepapers/Attacking_and_Defending_WS.pdf

 

The SOA/XML Threat Model and New XML/SOA/Web 2.0 Attacks & Threats (Defcon 15), Steve Orrin SSG-SPI Intel Corp.

[5] http://www.safesoa.org/data/dc-15-Orrin-v2.pdf

 

"Attacking Web Services", Alex Stamos

[6] http://www.owasp.org/images/d/d1/AppSec2005DC-Alex_Stamos-Attacking_Web_Services.ppt

 

Comments (0)

You don't have permission to comment on this page.