Tuesday, July 27, 2010

XML INJECTION

XML Injection is an attack technique used to manipulate or compromise the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter the intend logic of the application. Further, XML injection can cause the insertion of malicious content into the resulting message/document.

An example of XML injection to include insertion of full XML structures:

Consider this example XML document:

<?xml version="1.0" encoding="ISO-8859-1"?>
<users>
<user>
<uname>sant1</uname>
<pwd>r3g</pwd>
<uid>0<uid/>
<mail>sant1@example1.com</mail>
</user>
<user>
<uname>sant2</uname>
<pwd>an00n</pwd>
<uid>500<uid/>
<mail>sant2@example2.com</mail>
</user>
</users>

If the attacker were to inject the following values for a new user 'Henry':

Username: Henry123
Password: iluvbob
E-mail: Henry123@example3.com</mail></user><user><uname>Hacker</uname><pwd>l33tist</pwd><uid>0</uid><mail>hacker@exmaple_evil.net</mail>

Then the resulting XML document would be:

<?xml version="1.0" encoding="ISO-8859-1"?>
<users>
<user>
<uname>sant1</uname>
<pwd>r3g</pwd>
<uid>0<uid/>
<mail>sant1@example1.com</mail>
</user>
<user>
<uname>sant2</uname>
<pwd>an00n</pwd>
<uid>500<uid/>
<mail>sant2@example2.com</mail>
</user>
<user>
<uname>henry123</uname>
<pwd>iluvbob</pwd>
<uid>500</uid>
<mail>henry123@exmaple3.com</mail></user><user><uname>Hacker</uname><pwd>l33tist</pwd><uid>0</uid>
<mail>hacker@exmaple_evil.net</mail>
</user>
</users>

In this example a new user (Hacker) will be inserted into the table with user ID 0. In many cases with XML applications, the second user ID instance will override the first. This results in the injected new user 'Hacker' being logged in with userid=0 (which often is used as the administrator uid).

Another type of XML injection is where CDATA elements are used to insert malicious content. One example of this is where XML message payloads that contain a CDATA field can be used to inject illegal characters/content that are ignored by the XML parser.

<HTML>
<![CDATA[<IMG SRC=http://www.exmaple.com/logo.gif onmouseover=javascript:alert('Attack');>]]>
</HTML>

In this example an XML/HTML application can be exposed to an XSS vulnerability. This state is achieved because the CDATA content is unparsed and therefore will be missed by schema validation based input validation filters.
Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)