Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lesser Known Injections XML Injections AMol NAik.

Published byStephen O’Brien’ Modified over 9 years ago

Similar presentations

Presentation on theme: "Lesser Known Injections XML Injections AMol NAik."— Presentation transcript:

1 Lesser Known Injections XML Injections AMol NAik

2 About me Web Application PentesterCore member of Garage4HackersBounty Hunter in pastCurrently fuzzing browsers for Fun & Profit

3 Garage4Hackers Family of 3,800, posts 8k+40+ best Bug Bounty submissions15+ browser bugs in Chrome, IE, FF & SafariASLR bypass method presented at CanSecWest was already shared on G4H forum5+ Information Security Research (cable TV & Datacard)10+ Tools & scripts, 1+ Web application CTFRanchhoddas Webcast Series – 5+ webinarsFollow us on Twitter @garage4hackers

4 Agenda XML BasicXML InjectionXXE AttackXPath BasicsXPath Injections

5 XXE is a the new SQL Injection - Someone on Twitter

6 XML Injection in Real-World Yandex pwned for $5000 with XXE by @d0znppOpenID XXE by Reginaldo SilvaMultiple XXE bugs by @Securatary teamXXE in Google Toolbar by Detectify team - $10k

7 XML Basics

8 eXtensible Markup LanguageFlexible text- based formatPresents structured infoUsed for Data Exchange/Storage

9 XML Components

10 XML – CDATA Section Tells parser not to use markup for characters in this sectionExamples:

11 XML Injections

12 Injection Points

13 XML Injection – Node Attribute

14

15 XML Injection – Node Value

16

17 XML Injection – CDATA Section

18

19 XXE Attack

20 XML Entity VariableDefine Can be Internal/External

21 XML Entity

22 XXE Attack

23 XPath Basics Language to select XML NodesFormats XML data as tree-structured valuesSimilar as SQL (in some sense)

24 XPath Syntax Uses path expressions to select nodes or node-sets in an xml document ExpressionDescription nodenameSelects all child nodes of the named node /Selects from root node //Selects nodes from the current node that match the selection no matter where they are.Selects current node..Selects parent of the current node

25 XPath Predicates Used to find a specific node or a node that contain specific value.Always embedded in square brackets

26 XPath Predicates ExpressionResult /Employees/Employee[1]Selects first ‘Employee’ element that is the child of ‘Employees’ element /Employees/Employee[last()]Selects last ‘Employee’ element that is the child of ‘Employees’ element /Employees/Employee[position()<3]Selects first 2 ‘Employee’ elements that are children of Employees element //Employee[@ID=‘1’]Selects all the ‘Employee’ elements that have an attribute named ‘ID’ with a value of ‘1’

27 XPath Location Path Syntax: axisname::nodetest[predicate]

28 XPath Location Path ExampleResult child::EmployeeSelects all ‘Employee’ node that are children of the current node attribute::idSelects the id attribute of the current node child::*Selects all children of the current node attribute::*Selects all attributes of the current node child::text()Selects all text child nodes of the current node child::node()Selects all child nodes of the current node descendant::EmployeesSelects all ‘Employees’ descendants of the current node

29 XPath Injection XPath Query: /Employees/Employee[UserName/text() = ‘user’ and Password/text() = ‘passwd’]/Type/text()

30 XPath Injection No UserName & Password known:

31 XPath Injection UserName known: /Employees/Employee[UserName/text() = ‘mbrown’ or ‘1’=‘1’ and Password/text() = ‘anything’]Type/text()

32 XPath Injection No UserName & Password known & Password is not vulnerable:

33 Conclusion XML Injections are ignoredMany sites having these issues

34 That's It !! AMol NAik @amolnaik4 mailto: amolnaik4@garage4hackers.com

35 References XPath InjectionHacking XPath 2.0Blind XPath Injection

Download ppt "Lesser Known Injections XML Injections AMol NAik."

Similar presentations

Dr. Alexandra I. Cristea CS 253: Topics in Database Systems: XPath, NameSpaces.

Dr. Alexandra I. Cristea CS 253: Topics in Database Systems: XPath, NameSpaces.
The eXtensible Markup Language (XML) An Applied Tutorial Kevin Thomas.

The eXtensible Markup Language (XML) An Applied Tutorial Kevin Thomas.
Dr. Alexandra I. Cristea XPath and Namespaces.

Dr. Alexandra I. Cristea XPath and Namespaces.
Team 23 Multilingual Online Dictionary 資工碩一 吳全勳 R02922002 資工四 李竺軒 B99902033 電機四 何 偉 B99901068 資工二 王昱蓉 B01902018.

Team 23 Multilingual Online Dictionary 資工碩一 吳全勳 R 資工四 李竺軒 B 電機四 何 偉 B 資工二 王昱蓉 B
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
XPath Eugenia Fernandez IUPUI. XML Path Language (XPath) a data model for representing an XML document as an abstract node tree a mechanism for addressing.

XPath Eugenia Fernandez IUPUI. XML Path Language (XPath) a data model for representing an XML document as an abstract node tree a mechanism for addressing.
Multi Platform Applications XML, XPath, XSLT transform.

Multi Platform Applications XML, XPath, XSLT transform.
Introduction XML Technologies Mark Graves. This presentation is Copyright 2001, 2002 by Mark Graves and contains material Copyright 2002 by Prentice Hall.

Introduction XML Technologies Mark Graves. This presentation is Copyright 2001, 2002 by Mark Graves and contains material Copyright 2002 by Prentice Hall.
1 Overview of XPath. 2 XPATH XPath expressions are used to locate nodes in XML documents The list of nodes located by an XPath expression is called a.

1 Overview of XPath. 2 XPATH XPath expressions are used to locate nodes in XML documents The list of nodes located by an XPath expression is called a.
XSL Concepts Lecture 7. XML Display Options What can XSL Transformations do? generation of constant text suppression of content moving text (e.g., exchanging.

XSL Concepts Lecture 7. XML Display Options What can XSL Transformations do? generation of constant text suppression of content moving text (e.g., exchanging.
XSL Transformations Lecture 8, 07/08/02. Templates The whole element is a template The match pattern determines where this template applies Result element(s)

XSL Transformations Lecture 8, 07/08/02. Templates The whole element is a template The match pattern determines where this template applies Result element(s)
XML: New or Old? XML was not an extention of HTML That already existed! SGML (ISO 8879) XML was a simplification of SGML  80 / 20 rule  (80% of the features.

XML: New or Old? XML was not an extention of HTML That already existed! SGML (ISO 8879) XML was a simplification of SGML  80 / 20 rule  (80% of the features.
XML, XPATH and JDOM ICW Lecture 9 Hasan Qunoo. Recap -XML document structure. -XML parsers. -JDOM: -Package Info. -Load An XML document. -Saving An XML.

XML, XPATH and JDOM ICW Lecture 9 Hasan Qunoo. Recap -XML document structure. -XML parsers. -JDOM: -Package Info. -Load An XML document. -Saving An XML.
XML –Query Languages, Extracting from Relational Databases ADVANCED DATABASES Khawaja Mohiuddin Assistant Professor Department of Computer Sciences Bahria.

XML –Query Languages, Extracting from Relational Databases ADVANCED DATABASES Khawaja Mohiuddin Assistant Professor Department of Computer Sciences Bahria.
Manohar – Why XML is Required Problem: We want to save the data and retrieve it further or to transfer over the network. This.

Manohar – Why XML is Required Problem: We want to save the data and retrieve it further or to transfer over the network. This.
Aalborg University – Department of Production XML Extensible Markup Language Kaj A. Jørgensen Aalborg University, Department of Production XML – Extensible.

Aalborg University – Department of Production XML Extensible Markup Language Kaj A. Jørgensen Aalborg University, Department of Production XML – Extensible.
ECA 228 Internet/Intranet Design I Intro to XSL. ECA 228 Internet/Intranet Design I XSL basics W3C standards for stylesheets – CSS – XSL: Extensible Markup.

ECA 228 Internet/Intranet Design I Intro to XSL. ECA 228 Internet/Intranet Design I XSL basics W3C standards for stylesheets – CSS – XSL: Extensible Markup.
OU Campus Intermediate Training Workshop. Agenda Administrator Overview and Roles Administrator Controls Administrator Configuration Setting Up Access.

OU Campus Intermediate Training Workshop. Agenda Administrator Overview and Roles Administrator Controls Administrator Configuration Setting Up Access.
Chapter 4 Web Pages Using Web Standards Chapter 3 XML – the ‘X’ in Ajax.

Chapter 4 Web Pages Using Web Standards Chapter 3 XML – the ‘X’ in Ajax.
XML Anisha K J Jerrin Thomas. Outline  Introduction  Structure of an XML Page  Well-formed & Valid XML Documents  DTD – Elements, Attributes, Entities.

XML Anisha K J Jerrin Thomas. Outline  Introduction  Structure of an XML Page  Well-formed & Valid XML Documents  DTD – Elements, Attributes, Entities.

Similar presentations

Ads by Google