Re: PAPER: Attacking Server Side XML Parsers

[Chris Evans <scarybeasts () gmail com>]

On Tue, Feb 1, 2011 at 5:55 PM, HI-TECH . <
isowarez.isowarez.isowarez () googlemail com> wrote:

> Hello lists,
>
> the paper included in this email discusses as the subject describes the
> issues of XML Parsers and how they can be exploited in a web
> application environment.
> > From the Preface:
>
> During the audit of web applications one might come across an
> application which handles XML files.
> Specifically there can be an application which allows uploading XML
> files which are thereafter inserted
> into a database and used for later displaying on the front end of the
> application viewable by the user.
> I came across a significant “vulnerability class” which allows an
> attacker (or penetration tester) to
> evoke a scenario which will give access to all files on the underlying
> file system which the application
> server runs as. This includes (in the case the application is
> programmed in the Java language) access
> to directory listings as well.
>
> Any pointers if this was helpful to you are appriciated.

This attack is called XXE (Xml eXternal Entity).

It's depressing because it's been known about since at least 2002 (
http://archive.cert.uni-stuttgart.de/bugtraq/2002/10/msg00421.html), yet it
still keeps rearing its head. There's also the "billion laughs" attack which
is a variant that consumes excessive server-side resource.

There have also been client-side examples of this attack, including in
Safari and (IIRC) Adobe Reader.


Cheers
Chris


> Best Regards,
>
> Kingcope
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/