AdSense

Monday, April 2, 2018

XML Injection


XML INJECTION

 - Layout for this exercise:



1 - Introduction

 - An XML (Extensible Markup Language) database is a data persistence software system that allows data to be specified, stored and retrieved in XML format. 

 https://en.wikipedia.org/wiki/XML_database

 - This data can be queried, transformed, exported and returned to a calling system. 

 - XML databases are a flavor of document-oriented databases which are in turn a category of NoSQL database.

 - When the data in a website is stored in a XML database, then this data is accessed by using a method known as XPath query generation. 

 - In this method, an XPath query is generated after the user provides the input to the system and the required data is accessed. 

 - The problem arises when the input provided by the user is not properly filtered or validated by the system.

 - The prevention of XML injection can be done by properly managing and sanitizing any user input before it is allowed to reach the main program code. 

 https://blog.udemy.com/xml-injection/

- The best method is to consider all the user input as unsafe and to properly monitor this input. 
- Most types of the XML injection attacks can be prevented by simply removing all the single and double quotes from the user input. 


 2 - XML injection scenario

 - In this exercise the OWASP WebGoat v5.4 version is used, loaded at the Windows  10 machine:

 - Going to AJAX Security -> XML Injection:



- The scenario of this exercise consists of a web application that offers rewards based on the number of points accumulated by the user.

 - In particular, the user whose account has the ID 836239 holds a balance of 100 points, enough to get the first three products from the following list (note that the last two products require a number of points much higher than the 100 available):

- By entering the user ID, the three products will be sent to the user's address:



- The XML file that stores such information about the user is the following:
- Regarding the rewards:


- The first XPATH query to fetch the user corresponding to the entered ID would be:


- The second XPATH query to detect the records of gifts with less than 100 points would be:

3 - Launching the XML injection

- Using the browser Firefox, enabling the Proxy server at Kali Linux:


- Enabling Burp interception at Kali Linux, for requests and responses between the attacker and the victim:



- The user tries to use his points:


- Forwarding with Burp:


- Intercepting the answer: 






- Now, the response is altered injecting these two extra lines, or two extra XML nodes, including the max rewards of 2000 and 3000 points, respectively:

- Forwarding with Burp:


- The user receives the option to adquire all the items, though he has not got enough points for it:


- Checking the rewards and Submitting a new request:


- The XML injection is successful (the five items are shipped to the user's address) because the server has not properly validated the request:







Posted by at
Labels: