AppSec Europe 2016 has ended
Back To Schedule
Friday, July 1 • 14:10 - 14:55
From DTD to XXE: An Evaluation of XML-Parsers

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Extensible Markup Language (XML) is extensively used today in applications, protocols and databases. XML has to be well-formed and can optionally be valid. If the document conforms to the grammar which is specified within the DTD, the document is called valid. DTDs also introduce enities which are basics storage units. This is problematic because entities introduce a series of vulnerabilities. Two of the most widely known constitute a denial-of-service (DoS) attack, called billion laughs, and an XML External Entity (XXE) attack. Both were first discovered back in 2002. With web services becoming more popular and other standards evolving, like XML Inclusions (XInclude) and Extensible Stylesheet Language Transformations (XSLT), other threats soon followed, like using XInclude in a similar way as XXE, URL Invocation to conduct Server Side Request Forgery attacks and encoding issues. Using XSLT and the security thereof is a (research) topic on its own. A quick Internet search quickly reveals that most of these threats are still active today and are further developed and automated. [1][2][3] At the time of writing the Common Vulnerability Database [4] reports a total of 168 findings for XXE and 15 for DoS using billion laughs attack. Therefore we assume that DTDs are still prevalent and widely activated. D.Morgan and Ibrahim [5] have investigated this matter in a structured way in 2014. Other news concerning security of XML seem to be spread all over the Internet [6][7][8][9][10].

This presentation delivers the following contributions. First we accumulate up to date knowlegde of XML security. Second we implement tests for a better understanding of entity processing. Third we implement an exhaustive set of tests to check the default settings of a plethora of parsers from different programming languages. Fourth we investigate the impact of features which govern the processing of DTD and entities in those parsers. Fifth we present a new attack using XML Attribute Value Normalization, which is a part of the XML specification.

- We show how DTD attacks are working
- 28 parser of 6 languages were analyzed (Ruby, .NET, PHP, Java, Python, Perl.)
- A total of 1107 tests were executed to evaluate the security of all parsers
- We computed a score to measure the security of each parser, helping a developer choosing the best parser.

[1] Ssd advisory – zendxml multibyte payloads xxe/xee. [Online]. Available: https://blogs.securiteam.com/index.php/archives/2550
[2] Burp suite now reports blind xxe injection. [Online]. Available: http://blog.portswigger.net/2015/05/burp-suite-now-reports-blind-xxe.html?m=1
[3] Forcing xxe reflection through server error messages. [Online]. Available: https://blog.netspi.com/forcing-xxe-reflection-server-error-messages/
[4] Cve - common vulnerabilities and exposures (cve). [Online]. Available: https://cve.mitre.org
[5] Xml schema, dtd, and entity attacks. [Online]. Available: http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf
[6] Nir goldshlager. [Online]. Available: https://twitter.com/Nirgoldshlager/status/618417178505814016
[7] Best xml library to validate xml from untrusted source. [Online]. Available: http://www.perlmonks.org/?node_id=1104296
[8] [Online]. Available: https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
[9] [Online]. Available: https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf
[10] [Online]. Available: http://lab.onsec.ru/2014/06/xxe-oob-exploitation-at-java-17.html

avatar for Christian Mainka

Christian Mainka

Security Consultant, Horst Görtz Institute for IT Security, Chair for Network and Data Security, Ruhr-University Bochum
Christian Mainka is a Security Researcher at the Ruhr University Bochum, Chair for Network and Data Security. Since 2009, he focuses on XML and Web Services technologies and develops his penetration testing tool WS-Attacker and has published several papers in the field of XML security... Read More →
avatar for Vladislav Mladenov

Vladislav Mladenov

Ruhr University Bochum
Vladislav Mladenov is a PhD Student at the Ruhr University Bochum, Chair for Network and Data Security. He is interested in the security of XML-based services. Additionally, he investigates different Single Sign-On protocols like OAuth, OpenID, OpenID Connect and SAML. Other topics... Read More →

Christopher Späth

Christopher Späth is a PhD Student at the Ruhr University Bochum, Chair for Network and Data Security. He wrote his master thesis about the security implications of DTD attacks against a wide range of XML parsers. His first contact with XML security was back in 2011, when he wrote... Read More →

Friday July 1, 2016 14:10 - 14:55 CEST
Room B (Tiziano Ballroom Sec. 1)