[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Bypassing XML schema validation

From: Dinis Cruz <dinis@xxxxxxxxxx>
Subject: Re: [WEB SECURITY] Bypassing XML schema validation
Date: Sat, 01 Apr 2006 11:27:03 +0100

Yes this is an area which is definitely very little understood and
multiple types of attacks are possible,

Add to this the fact that .Net allows the inclusion of .Net code (or
calls to .Net code) inside Xml and Xslt files (It's not the default
option, but I know it is in there (haven't had a good look at it yet))

Ironically, one of my colleagues had this week a meeting with a XML
firewall vendor which presented some solutions to handle some of these
issues (note that at the moment no Web Application Firewall vendor seems
to be able to handle XML)

If you guys have some time, it would be great to add some PoC examples
of this types of vulnerabilities to SiteGenerator. All you need to do is
to create aspx pages which contain this issue, and the mapping to the
dynamic websites is done in minutes.

Dinis Cruz
Owasp .Net Project
www.owasp.net

Andrew van der Stock wrote:
> There are several ways I am aware of. DTD / XSD validation is not
> particularly granular, and often it is not performed. Even worse,
> because it's a lot of work to create, most programs I've reviewed, if
> they have a DTD or XSD do not have a particularly robust set of
> validations - usually "this node is a string", which is insufficient.
>
> For example, the devs designing the DTD / XSD might:
>
> a) not include sufficient robust details of *how* the schema works, so
> you can add additional nodes, like this:
>
> <node>
> <attribute name="foo">real value</attribute>
> <attribute name="foo">attack</attribute>
> </node>
>
> This worked for me with a custom system a week ago. "Attack" was
> selected due to the XML parser in use (YMMV as to *which* node will be
> selected in XPath queries).
>
> b) not include sufficient validation, and you can use that to inject
> bad strings with impunity:
>
> <node>
> <attribute name="foo">javascript:alert(document.cookie)</attribute>
> </node>
>
> Again, this worked for me less than a week ago.
>
> c) Validation is rarely turned on, and even it is ... how many times
> has the DTD not been available to the XML processor? Try looking at
> your DTD URL and see if you can download it. If not, it's highly
> likely that the XML processor cannot either, and most processors give
> up validation at that stage and let the data through. Only Biztalk
> seems to stop processing in my experience. All of them go slow.
>
> No exploit necessary.
>
> I'm sure others will have more, but this is more than enough to get
> you started.
>
> thanks,
> Andrew
>
> On 01/04/2006, at 11:26 AM, Chris Weber wrote:
>
>> I was wondering if anyone has found any ways to actually bypass a schema
>> without having to actually swapping it out?
>>
>>
>> ---------------------------------------------------------------------
>> The Web Security Mailing List
>> http://www.webappsec.org/lists/websecurity/
>>
>> The Web Security Mailing List Archives
>> http://www.webappsec.org/lists/websecurity/archive/
>>
>>
>



---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

Prev by Date: Re: [WEB SECURITY] On sandboxes, and why you should care
Next by Date: Re: [WEB SECURITY] On sandboxes, and why you should care
Previous by thread: Re: [WEB SECURITY] On sandboxes, and why you should care
Next by thread: RE: [WEB SECURITY] Bypassing XML schema validation
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site