WebApp Sec mailing list archives
Re: Testing Webservices ASMX
From: Arvind <arvind.doraiswamy () gmail com>
Date: Mon, 6 Aug 2012 15:12:34 +0530
Forwarding to the list..
Thnx Kevin...I didn't ..no. Largely I kind of ran out of time. So when I saw that I could not break out of the XML tags, I kind of gave up on it. Are you saying though, even though you can't break out of tags, by say closing them, you can still inject data using that string you mentioned?
Yes; that's what I'm saying.
How does it work?
The <![CDATA[ ... ]]> construct introduces non-parsed data into the XML stream. It is instructions to the XML parser (whether SAX or DOM based, it really doesn't matter) that it should not look at and try to make sense of the data where the "..." is because it may not be XML data.
Is there a good read you could point me to, by any chance?
I don't have any that offhand I could recommend, but if you just Google for CDATA XSS or CDATA SQLi you'll find a lot of interesting stuff, including things from OWASP. Note however, that just because the XML parser itself will ignore it, the application may still validate the data and thus you still may be limited in what you can do. However, if the application is only relying on XML schema validation for the input checking, then this will work as XML schema validation is done by the XML parsers.
Another thing that I forgot to mention (rather inexcusably) was that I seemed to be able to close elements. So for example: If the tree was like this: <root><a1><a2>arvind</a2></a1></root> ....and 'arvind' was user controlled...I could do something like arvind</a2></a1></root><xml script=blah blah..... .... This seemed to give me hope; as in, I'd get an error message saying stuff like this here - http://postimage.org/image/o8vb2m9k9/ . This made me think that I was on track; but the fact that my tags kept getting encoded put me off after a while.
XML schema validation will be able to defeat that. Of course, if you want to try this, you should select something that is at least valid XML. What you have shown would not be, because there can only be a single <xml> node per XML request. But instead of <root><a1><a2>arvind</a2></a1></root> try something like: <root><a1><a2> <![CDATA[<]]>script<![CDATA[>]]>alert('xss')<![CDATA[<]]>/script<![CDATA[>]]> </a2></a1></root> Note that here, the CDATA construct is just used to escape the '<' and '>'. Lastly, you didn't say whether or not this is a REST-based web service that simply sends XML requests or a SOAP-based web service. If it is a REST-based web service, you can also try the usual directory traversal tricks on the URL. -kevin This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Testing Webservices ASMX Arvind (Aug 02)
- Message not available
- Re: Testing Webservices ASMX Arvind (Aug 03)
- Message not available
- Message not available
- Re: Testing Webservices ASMX Arvind (Aug 06)
- Re: Testing Webservices ASMX Arvind (Aug 03)
- Message not available