AppSec Europe 2016

Extensible Markup Language (XML) is extensively used today in applications, protocols and databases. XML has to be well-formed and can optionally be valid. If the document conforms to the grammar which is specified within the DTD, the document is called valid. DTDs also introduce enities which are basics storage units. This is problematic because entities introduce a series of vulnerabilities. Two of the most widely known constitute a denial-of-service (DoS) attack, called billion laughs, and an XML External Entity (XXE) attack. Both were first discovered back in 2002. With web services becoming more popular and other standards evolving, like XML Inclusions (XInclude) and Extensible Stylesheet Language Transformations (XSLT), other threats soon followed, like using XInclude in a similar way as XXE, URL Invocation to conduct Server Side Request Forgery attacks and encoding issues. Using XSLT and the security thereof is a (research) topic on its own. A quick Internet search quickly reveals that most of these threats are still active today and are further developed and automated. [1][2][3] At the time of writing the Common Vulnerability Database [4] reports a total of 168 findings for XXE and 15 for DoS using billion laughs attack. Therefore we assume that DTDs are still prevalent and widely activated. D.Morgan and Ibrahim [5] have investigated this matter in a structured way in 2014. Other news concerning security of XML seem to be spread all over the Internet [6][7][8][9][10].

This presentation delivers the following contributions. First we accumulate up to date knowlegde of XML security. Second we implement tests for a better understanding of entity processing. Third we implement an exhaustive set of tests to check the default settings of a plethora of parsers from different programming languages. Fourth we investigate the impact of features which govern the processing of DTD and entities in those parsers. Fifth we present a new attack using XML Attribute Value Normalization, which is a part of the XML specification.

Summray:
- We show how DTD attacks are working
- 28 parser of 6 languages were analyzed (Ruby, .NET, PHP, Java, Python, Perl.)
- A total of 1107 tests were executed to evaluate the security of all parsers
- We computed a score to measure the security of each parser, helping a developer choosing the best parser.


[1] Ssd advisory – zendxml multibyte payloads xxe/xee. [Online]. Available: https://blogs.securiteam.com/index.php/archives/2550
[2] Burp suite now reports blind xxe injection. [Online]. Available: http://blog.portswigger.net/2015/05/burp-suite-now-reports-blind-xxe.html?m=1
[3] Forcing xxe reflection through server error messages. [Online]. Available: https://blog.netspi.com/forcing-xxe-reflection-server-error-messages/
[4] Cve - common vulnerabilities and exposures (cve). [Online]. Available: https://cve.mitre.org
[5] Xml schema, dtd, and entity attacks. [Online]. Available: http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf
[6] Nir goldshlager. [Online]. Available: https://twitter.com/Nirgoldshlager/status/618417178505814016
[7] Best xml library to validate xml from untrusted source. [Online]. Available: http://www.perlmonks.org/?node_id=1104296
[8] [Online]. Available: https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
[9] [Online]. Available: https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf
[10] [Online]. Available: http://lab.onsec.ru/2014/06/xxe-oob-exploitation-at-java-17.html