Re: Testing Webservices ASMX

[Arvind <arvind.doraiswamy () gmail com>]

Forwarding to the list..


> Thnx Kevin...I didn't ..no. Largely I kind of ran out of time. So when
> I saw that I could not break out of the XML tags, I kind of gave up on
> it. Are you saying though, even though you can't break out of tags, by
> say closing them, you can still inject data using that string you
> mentioned?

Yes; that's what I'm saying.

> How does it work?

The
        <![CDATA[ ... ]]>

construct introduces non-parsed data into the XML stream. It is instructions
to the XML parser (whether SAX or DOM based, it really doesn't matter) that
it should not look at and try to make sense of the data where the "..." is
because it may not be XML data.

> Is there a good read you could point me to, by any chance?

I don't have any that offhand I could recommend, but if you just Google for

        CDATA XSS
or
        CDATA SQLi

you'll find a lot of interesting stuff, including things from OWASP.

Note however, that just because the XML parser itself will ignore it,
the application may still validate the data and thus you still may be
limited in what you can do.  However, if the application is only relying
on XML schema validation for the input checking, then this will work as
XML schema validation is done by the XML parsers.

> Another thing that I forgot to  mention (rather inexcusably) was that
> I seemed to be able to close elements. So for example: If the tree was
> like this:
>
> <root><a1><a2>arvind</a2></a1></root>
>
> ....and 'arvind' was user controlled...I could do something like
> arvind</a2></a1></root><xml script=blah blah..... ....
>
> This seemed to give me hope; as in, I'd get an error message saying
> stuff like this here - http://postimage.org/image/o8vb2m9k9/ . This
> made me think that I was on track; but the fact that my tags kept
> getting encoded put me off after a while.

XML schema validation will be able to defeat that.  Of course, if you
want to try this, you should select something that is at least valid
XML. What you have shown would not be, because there can only be
a single <xml> node per XML request.

But instead of
        <root><a1><a2>arvind</a2></a1></root>

try something like:
        <root><a1><a2>
<![CDATA[<]]>script<![CDATA[>]]>alert('xss')<![CDATA[<]]>/script<![CDATA[>]]>
</a2></a1></root>

Note that here, the CDATA construct is just used to escape the '<' and '>'.

Lastly, you didn't say whether or not this is a REST-based web service
that simply sends XML requests or a SOAP-based web service. If it is
a REST-based web service, you can also try the usual directory traversal
tricks on the URL.

-kevin



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------