Re: Testing Webservices ASMX

[Arvind <arvind.doraiswamy () gmail com>]

Thnx Kevin...I didn't ..no. Largely I kind of ran out of time. So when
I saw that I could not break out of the XML tags, I kind of gave up on
it. Are you saying though, even though you can't break out of tags, by
say closing them, you can still inject data using that string you
mentioned? How does it work? Is there a good read you could point me
to, by any chance?

Another thing that I forgot to  mention (rather inexcusably) was that
I seemed to be able to close elements. So for example: If the tree was
like this:

<root><a1><a2>arvind</a2></a1></root>

....and 'arvind' was user controlled...I could do something like
arvind</a2></a1></root><xml script=blah blah..... ....

This seemed to give me hope; as in, I'd get an error message saying
stuff like this here - http://postimage.org/image/o8vb2m9k9/ . This
made me think that I was on track; but the fact that my tags kept
getting encoded put me off after a while.

Arvind

On Fri, Aug 3, 2012 at 7:19 PM, Wall, Kevin <Kevin.Wall () centurylink com> wrote:
> Arvind,
>
> Just wondering... did you try injecting via non-parsed data, as in
>
>         <![CDATA[ evil_payload_here ]]>
>
> That will work a lot of times if all the web service is relying on
> for data validation is XML schema validation (which is rather common).
>
> That allows you to inject a payload of whatever you want wherever you
> want if all they are doing is schema validation.
>
> -kevin



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------