WebApp Sec mailing list archives
XML File Inclusion and Path Traversal Attacks (was RE: XML Port Scanning)
From: "Jan P. Monsch" <jan.monsch () iplosion com>
Date: Wed, 27 Sep 2006 21:28:25 +0200
Hi Paul, Hi Colin Thank you for your nice paper on XML port scanning. The attack scheme you are describing is not new. It was already described in Oct 2002 by Gregory Steuck as "XML eXternal Entity Attack" (XXE): http://www.securiteam.com/securitynews/6D0100A5PU.html Actually the attack scheme is more potent than you imagine. Depending on the application it is possible to include server-side files into XML documents. If e.g. the content of the processed XML document is stored in database and it is possible to read the database through the same or other web service functions or web application then the file content is disclosed. Due to the fact that directories can often be read just like a file, as it is the case in Java, it is possible to traverse directories and to read files without guessing paths. So far I have not succeeded in including arbitrary XML documents since they often violate DTD definitions of the surrounding XML. But if the DTD allows further XML tags in a field extraction of XML documents should also be possible. But in general my experience shows that Java property files, /etc/passwd, /etc/shadow or even PEM-encoded SSL key material pose no problems. Actually XML file inclusion is often practiced by Java web application developers and system engineers to include external parts in web.xml and Tomcat server.xml configuration files. The key to solving this issue, as mentioned in the paper, is to harden the XML parser by setting restrictive entity parsing options and to implement custom entity resolvers. Additionally I recommend running the web application with a low-privileged user account and restricting read and write access for this user across the operating system. For the paranoid among us who have deployed a Java based container should consider restricting file and network access through Java policies and security managers. Samples request and response can be found on my web site: http://www.iplosion.com/?p=36 Kind regards Jan -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Paul Theriault Sent: Mittwoch, 27. September 2006 06:19 To: webappsec () securityfocus com Subject: XML Port Scanning SIFT has released a new Intelligence Report that provides a discussion on a new network reconnaissance technique, using XML for completing remote port scans that effectively bypass a perimeter firewall. The technique utilises properties of XML parsers to perform the scanning of systems, and while the technique relies on some reasonably specific implementation details in order to be exploitable remotely, it is potentially applicable to any application that accepts XML document inputs. Several workarounds exist and have been detailed in this paper and the technique does not offer the ability to perform advanced fingerprinting or analysis of the underlying operating system of hosts. However, this technique demonstrates the danger that inadequately configured XML parsers can pose to an organisation and highlights the inability of traditional network security devices to handle application-level threats. The report is available for download from the SIFT website: http://www.sift.com.au/36/172/xml-port-scanning-bypassing-restrictive-perime ter-firewalls.htm Regards, Paul Theriault www.sift.com.au ------------------------------------------------------------------------- Sponsored by: Watchfire It's been reported that 75% of websites are vulnerable to attack. That's because hackers know to exploit weaknesses in web applications. Traditional approaches to securing these assets no longer apply. Download the "Addressing Challenges in Application Security" whitepaper today, and see for yourself. https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmw -------------------------------------------------------------------------- ------------------------------------------------------------------------- Sponsored by: Watchfire It's been reported that 75% of websites are vulnerable to attack. That's because hackers know to exploit weaknesses in web applications. Traditional approaches to securing these assets no longer apply. Download the "Addressing Challenges in Application Security" whitepaper today, and see for yourself. https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmw --------------------------------------------------------------------------
Current thread:
- XML Port Scanning Paul Theriault (Sep 26)
- XML File Inclusion and Path Traversal Attacks (was RE: XML Port Scanning) Jan P. Monsch (Sep 27)