Monday, April 2, 2018

XML Injection


- Layout for this exercise:

1 - Introduction

- An XML (Extensible Markup Language) database is a data persistence software system that allows data to be specified, stored and retrieved in XML format.

- This data can be queried, transformed, exported and returned to a calling system. 

- XML databases are a flavor of document-oriented databases which are in turn a category of NoSQL database.

- When the data in a website is stored in a XML database, then this data is accessed by using a method known as XPath query generation. 

- In this method, an XPath query is generated after the user provides the input to the system and the required data is accessed. 

- The problem arises when the input provided by the user is not properly filtered or validated by the system.

- The prevention of XML injection can be done by properly managing and sanitizing any user input before it is allowed to reach the main program code.

- The best method is to consider all the user input as unsafe and to properly monitor this input. 

- Most types of the XML injection attacks can be prevented by simply removing all the single and double quotes from the user input. 

2 - XML injection scenario

- In this exercise the OWASP WebGoat v5.4 version is used, loaded at the Windows  10 machine:

- Going to AJAX Security -> XML Injection:

- The scenario of this exercise consists of a web application that offers rewards based on the number of points accumulated by the user.

- In particular, the user whose account has the ID 836239 holds a balance of 100 points, enough to get the first three products from the following list (note that the last two products require a number of points much higher than the 100 available):

- By entering the user ID, the three products will be sent to the user's address:

- The XML file that stores such information about the user is the following:

- Regarding the rewards:

- The first XPATH query to fetch the user corresponding to the entered ID would be:

- The second XPATH query to detect the records of gifts with less than 100 points would be:

3 - Launching the XML injection

- Using the browser Firefox, enabling the Proxy server at Kali Linux:

- Enabling Burp interception at Kali Linux, for requests and responses between the attacker and the victim:

- The user tries to use his points:

- Forwarding with Burp:

- Intercepting the answer: 

- Now, the response is altered injecting these two extra lines, or two extra XML nodes, including the max rewards of 2000 and 3000 points, respectively:

- Forwarding with Burp:

- The user receives the option to adquire all the items, though he has not got enough points for it:

- Checking the rewards and Submitting a new request:

- The XML injection is successful (the five items are shipped to the user's address) because the server has not properly validated the request: