WebApp Sec mailing list archives
Re: Testing Webservices ASMX
From: Arvind <arvind.doraiswamy () gmail com>
Date: Fri, 3 Aug 2012 19:32:50 +0530
Thnx Kevin...I didn't ..no. Largely I kind of ran out of time. So when I saw that I could not break out of the XML tags, I kind of gave up on it. Are you saying though, even though you can't break out of tags, by say closing them, you can still inject data using that string you mentioned? How does it work? Is there a good read you could point me to, by any chance? Another thing that I forgot to mention (rather inexcusably) was that I seemed to be able to close elements. So for example: If the tree was like this: <root><a1><a2>arvind</a2></a1></root> ....and 'arvind' was user controlled...I could do something like arvind</a2></a1></root><xml script=blah blah..... .... This seemed to give me hope; as in, I'd get an error message saying stuff like this here - http://postimage.org/image/o8vb2m9k9/ . This made me think that I was on track; but the fact that my tags kept getting encoded put me off after a while. Arvind On Fri, Aug 3, 2012 at 7:19 PM, Wall, Kevin <Kevin.Wall () centurylink com> wrote:
Arvind, Just wondering... did you try injecting via non-parsed data, as in <![CDATA[ evil_payload_here ]]> That will work a lot of times if all the web service is relying on for data validation is XML schema validation (which is rather common). That allows you to inject a payload of whatever you want wherever you want if all they are doing is schema validation. -kevin
This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Testing Webservices ASMX Arvind (Aug 02)
- Message not available
- Re: Testing Webservices ASMX Arvind (Aug 03)
- Message not available
- Message not available
- Re: Testing Webservices ASMX Arvind (Aug 06)
- Re: Testing Webservices ASMX Arvind (Aug 03)
- Message not available