17 Feb, 2023

XML Injection

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

XML Injection is a type of web application vulnerability that occurs when an attacker is able to inject malicious code into an XML input field or parameter. The attacker may use this vulnerability to manipulate the XML data being processed by the application, potentially causing it to execute unintended commands, expose sensitive data, or perform unauthorized actions. The attack vector can be through specially crafted XML input containing malicious tags, entities, or comments which can lead to code execution or data leakage. It is important for web application developers to be aware of this vulnerability and to take steps to prevent it, such as by sanitizing user input, validating input data, and using parameterized queries.

Example of vulnerable code on different programming languages:


in PHP:

				
					$xml_data = $_POST['xml_data'];
$xml_parser = xml_parser_create();
xml_parse($xml_parser, $xml_data);

				
			


In this code, the $_POST['xml_data'] variable is passed directly to the xml_parse() function without any validation or sanitization. This makes the code vulnerable to XML Injection attacks.

• in Java:

				
					String xmlData = request.getParameter("xml_data");
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
DocumentBuilder db = dbf.newDocumentBuilder();
Document doc = db.parse(new InputSource(new StringReader(xmlData)));

				
			


In this code, the request.getParameter("xml_data") method is used to retrieve the XML data from the request, which can be manipulated by an attacker. This makes the code vulnerable to XML Injection attacks.

• in C#:

				
					XmlDocument xmlDoc = new XmlDocument();
xmlDoc.LoadXml(Request["xml_data"]);

				
			


In this code, the Request["xml_data"] method is used to retrieve the XML data from the request, which can be manipulated by an attacker. This makes the code vulnerable to XML Injection attacks.

Examples of exploitation XML Injection

Reading Sensitive Information:

An attacker could inject a malicious XML payload that exploits the vulnerability to read sensitive information from the application or database. For example, an attacker could inject an XML payload that retrieves all user account details, including usernames and passwords.

Modifying Data:

An attacker could inject a malicious XML payload that exploits the vulnerability to modify data within the application or database. For example, an attacker could inject an XML payload that modifies the price of a product to a very low value.

Denial of Service:

An attacker could inject a malicious XML payload that exploits the vulnerability to launch a denial of service (DoS) attack. For example, an attacker could inject an XML payload that creates an infinite loop, causing the application to consume excessive resources and eventually crash.

Remote Code Execution:

An attacker could inject a malicious XML payload that exploits the vulnerability to execute arbitrary code on the server. For example, an attacker could inject an XML payload that executes a command on the server, allowing the attacker to gain control over the server.

Privilege escalation techniques for XML Injection

  • Injecting an XML payload that exploits a vulnerability in the application or server, allowing the attacker to gain access to the operating system or other sensitive resources.

  • Modifying the XML data in a way that allows the attacker to bypass access controls and gain access to sensitive information or perform actions that they are not authorized to perform.

  • Injecting an XML payload that allows the attacker to execute arbitrary code on the server, which can then be used to escalate privileges or gain access to sensitive resources.

  • Using XML Injection to manipulate the behavior of the application in a way that allows the attacker to take control of the system or escalate privileges. For example, an attacker might inject an XML payload that allows them to execute administrative commands or bypass authentication checks.

  • Using XML Injection to create a new user account with administrative privileges, giving the attacker full control over the system.

General methodology and checklist for XML Injection

Methodology:

  1. Understand the application: Obtain a deep understanding of the application and its functionality. This can include identifying the input fields, data sources, and data output formats.

  2. Identify input fields: Identify all input fields that accept XML data or XML-like data, including search fields, file upload fields, and other forms that accept user input.

  3. Create test plan: Create a test plan that outlines the steps you will take to test for XML Injection vulnerabilities. This can include a list of test cases and payloads to be used during testing.

  4. Test payloads: Inject test payloads into each input field to determine whether the application is vulnerable to XML Injection. Test payloads should include a variety of XML payloads, including those with malformed data, malicious scripts, and tags that can exploit known vulnerabilities in the application.

  5. Verify results: Verify the results of the test payloads to determine whether the application is vulnerable to XML Injection. This can include reviewing the server’s response, checking the application’s logs for error messages, and reviewing the output of the application to ensure that it is properly formatted and does not contain any unexpected data.

  6. Test for HTTP parameter pollution: Test for HTTP parameter pollution by sending multiple parameters with the same name, each containing different XML data. This can help to identify vulnerabilities where the application is unable to distinguish between different XML input fields, leading to unexpected behavior or exploitation.

  7. Test for file inclusion vulnerabilities: Test for file inclusion vulnerabilities by injecting XML payloads that include references to external files, such as DTD files or other resources. This can help to identify vulnerabilities that allow an attacker to read or write to files on the server.

  8. Test for XXE attacks: Test for XML External Entity (XXE) attacks, which can be used to read files on the server, retrieve sensitive data, or execute arbitrary code. This can be done by injecting malicious payloads that contain external entities, then verifying the results to determine whether the attack was successful.

  9. Test for SOAP vulnerabilities: If the application uses SOAP-based web services, test for vulnerabilities that allow an attacker to inject malicious code into the SOAP message or modify its contents.

  10. Document findings: Document any vulnerabilities or potential vulnerabilities that were discovered during testing, including a description of the vulnerability, its severity, and any recommended remediation steps.

Checklist:

  1. Identify all input fields that accept XML data or XML-like data.

  2. Test input validation by injecting payloads with malformed XML, invalid characters, or encoding errors.

  3. Test for HTTP parameter pollution by injecting multiple parameters with the same name, each containing different XML data.

  4. Test for file inclusion vulnerabilities by injecting XML payloads that include references to external files, such as DTD files or other resources.

  5. Test for XML External Entity (XXE) attacks by injecting payloads that contain external entities and verifying the results to determine whether the attack was successful.

  6. Test for SOAP vulnerabilities by injecting payloads into SOAP messages and verifying the results to determine whether the attack was successful.

  7. Test for injection vulnerabilities by injecting payloads that contain SQL, XPath, or other query languages and verifying the results to determine whether the attack was successful.

  8. Test for denial-of-service vulnerabilities by injecting payloads that are designed to consume large amounts of system resources, such as recursive or deeply nested XML payloads.

  9. Test for input filtering and sanitization by injecting payloads that contain HTML tags, JavaScript code, or other malicious code, and verifying the results to determine whether the attack was successful.

  10. Check the application’s error messages and logs for information that could be used to craft XML Injection attacks.

  11. Verify that the application does not include sensitive information in its XML output, such as user names, passwords, or other personal data.

  12. Verify that the application does not allow users to upload or download XML files without appropriate filtering and validation.

Tools set for exploiting XML Injection

Automated Tools:

  • Burp Suite – a comprehensive web application security testing tool that includes features for XML injection testing. It allows you to intercept and modify XML requests and responses to find vulnerabilities.

  • OWASP ZAP – an open-source web application security testing tool that includes a suite of tools for finding XML injection vulnerabilities. It provides a proxy, scanner, and other features for testing web applications.

  • SOAPUI – a testing tool specifically designed for testing web services, including those that use XML. It allows you to send and receive XML requests and responses and manipulate them to test for vulnerabilities.

  • SoapSonar – a testing tool specifically designed for testing SOAP-based web services. It includes features for testing XML messages and detecting vulnerabilities.

  • W3af – an open-source web application security testing tool that includes features for detecting XML injection vulnerabilities. It can be used for both manual and automated testing.

  • SoapUI Pro – a commercial version of SoapUI that includes additional features for testing web services, including those that use XML. It provides an intuitive user interface and support for advanced scripting.

  • IBM AppScan – a web application security testing tool that includes features for testing for XML injection vulnerabilities. It can be used for both manual and automated testing.

  • Netsparker – a web application security testing tool that includes features for detecting XML injection vulnerabilities. It can be used for both manual and automated testing.

  • Acunetix – a web application security testing tool that includes features for detecting XML injection vulnerabilities. It can be used for both manual and automated testing.

  • HP WebInspect – a web application security testing tool that includes features for testing for XML injection vulnerabilities. It can be used for both manual and automated testing.

  • SQLMap – an open-source tool specifically designed for detecting SQL injection vulnerabilities. It includes features for detecting XML injection vulnerabilities as well.

  • XML External Entity (XXE) Injection Tool – a free online tool for detecting and testing XML External Entity injection vulnerabilities.

  • BeEF – a browser exploitation framework that can be used to test for various types of vulnerabilities, including XML injection.

Manual Tools:

  • XMLSpy – an XML editor that includes a variety of features for testing and debugging XML. It can be used to manually test for XML injection vulnerabilities.

  • XML Hammer – an open-source tool for testing and validating XML documents. It includes features for testing for XML injection vulnerabilities.

  • XML Copy Editor – an open-source XML editor that includes features for testing and debugging XML. It can be used for manual testing for XML injection vulnerabilities.

  • Fiddler – a web debugging proxy tool that allows you to intercept and modify web traffic. It includes features for testing for XML injection vulnerabilities.

  • XML Entity Expander – a free online tool that allows you to expand and display the entities in an XML document. It can be used for manual testing for XML injection vulnerabilities.

  • Xmlio – an open-source tool for testing and validating XML documents. It includes features for testing for XML injection vulnerabilities.

  • Firefox add-ons – there are various Firefox add-ons that can be used for XML injection testing, such as XML Developer Toolbar and XPath Checker.

Average CVSS score of stack XML Injection

The Common Vulnerability Scoring System (CVSS) is a standard system used to assign a numerical score to the severity of security vulnerabilities. The score ranges from 0 to 10, with 10 being the most severe.

The CVSS score for an XML injection vulnerability would depend on various factors, such as the specific vulnerability being exploited, the attack vector, and the impact on the system or data. As such, it’s difficult to provide an average CVSS score for stack XML injection without knowing more specific details.

However, in general, XML injection vulnerabilities can lead to serious security issues, including data theft, privilege escalation, and denial of service attacks. These types of vulnerabilities can often result in a high CVSS score, typically ranging from 7 to 10, indicating a severe vulnerability.

The Common Weakness Enumeration (CWE)

• CWE-91: XML Injection – This CWE occurs when untrusted input is processed as XML and the input is not properly sanitized. Attackers can exploit this vulnerability to inject malicious content into an XML document, potentially causing damage or exposing sensitive information.

• CWE-611: Improper Restriction of XML External Entity Reference (XXE) – This CWE occurs when an application allows XML entities to reference external resources, such as files or web services, without proper validation or restrictions. Attackers can exploit this vulnerability to retrieve sensitive data or execute malicious code.

• CWE-643: Improper Neutralization of Data within XPath Expressions – This CWE occurs when an application uses XPath expressions to process XML data without properly sanitizing input. Attackers can exploit this vulnerability to inject malicious content into the expression, potentially causing damage or exposing sensitive information.

• CWE-667: Improper Locking – This CWE occurs when multiple threads or processes attempt to access the same XML resource without proper locking or synchronization. This can lead to race conditions, data corruption, or other issues.

• CWE-668: Exposure of Resource to Wrong Sphere – This CWE occurs when an application allows access to an XML resource from a different security domain or trust level than intended. Attackers can exploit this vulnerability to gain unauthorized access to resources or escalate privileges.

• CWE-672: Operation on Resource in Wrong Phase of Lifetime – This CWE occurs when an application attempts to access an XML resource at an inappropriate time, such as after it has been released or before it has been fully initialized. This can lead to memory corruption or other issues.

• CWE-674: Uncontrolled Recursion – This CWE occurs when an application processes recursive XML data without proper limits or validation. Attackers can exploit this vulnerability to cause denial of service or other issues.

• CWE-675: Duplicate Operations on Resource – This CWE occurs when an application performs duplicate or redundant operations on the same XML resource. This can lead to data corruption, performance issues, or other problems.

• CWE-676: Use of Potentially Dangerous Function – This CWE occurs when an application uses a function that has the potential to introduce security vulnerabilities, such as unvalidated input or buffer overflows, when processing XML data.

• CWE-677: Use of a Non-reentrant Function in a Concurrent Context – This CWE occurs when an application uses a non-reentrant function, which is not designed to handle multiple concurrent accesses, in a context where concurrent access is possible. This can lead to race conditions, data corruption, or other issues when processing XML data.

Top 10 CVES related to XML Injection

• CVE-2023-24323 – Mojoportal v2.7 was discovered to contain an authenticated XML external entity (XXE) injection vulnerability.

• CVE-2022-47514 – An XML external entity (XXE) injection vulnerability in XML-RPC.NET before 2.5.0 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks, as demonstrated by a pingback.aspx POST request.

• CVE-2022-46464 – ConcreteCMS v9.1.3 was discovered to be vulnerable to Xpath injection attacks. This vulnerability allows attackers to access sensitive XML data via a crafted payload injected into the URL path folder “3”.

• CVE-2022-45326 – An XML external entity (XXE) injection vulnerability in Kwoksys Kwok Information Server before v2.9.5.SP31 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks.

• CVE-2022-43570 – In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, an authenticated user can perform an extensible markup language (XML) external entity (XXE) injection via a custom View. The XXE injection causes Splunk Web to embed incorrect documents into an error.

• CVE-2022-42307 – An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. The NetBackup Primary server is vulnerable to an XML External Entity (XXE) Injection attack through the DiscoveryService service.

• CVE-2022-42301 – An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. The NetBackup Primary server is vulnerable to an XML External Entity (XXE) injection attack through the nbars process.

• CVE-2022-40747 – “IBM InfoSphere Information Server 11.7 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 236584.”

• CVE-2022-40705 – ** UNSUPPORTED WHEN ASSIGNED ** An Improper Restriction of XML External Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an attacker to read arbitrary files over HTTP. This issue affects Apache SOAP version 2.2 and later versions. It is unknown whether previous versions are also affected. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

• CVE-2022-38389 – IBM Tivoli Workload Scheduler 9.4, 9.5, and 10.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 233975.

XML Injection exploits

XXE Injection: This exploit is based on CWE-611 and involves injecting malicious XML entities into an XML document. The attacker can then use these entities to read files, access network resources, or execute remote code.

XPath Injection: This exploit is based on CWE-643 and involves injecting malicious code into an XPath expression in an XML document. The attacker can then use this code to modify or extract data from the document, potentially causing damage or exposing sensitive information.

SOAP Injection: This exploit involves injecting malicious code into SOAP messages, which are XML-based messages used in web services. The attacker can then use this code to modify or extract data from the message, potentially causing damage or exposing sensitive information.

SAML Injection: This exploit involves injecting malicious XML into SAML messages, which are used for single sign-on authentication. The attacker can then use this XML to bypass authentication, gain access to protected resources, or escalate privileges.

SVG Injection: This exploit involves injecting malicious XML into SVG (Scalable Vector Graphics) documents, which are used for web graphics. The attacker can then use this XML to execute remote code or steal data from the user’s browser.

RSS Injection: This exploit involves injecting malicious XML into RSS (Really Simple Syndication) feeds, which are used for news and content syndication. The attacker can then use this XML to execute remote code or steal data from the user’s browser.

HTML Injection: This exploit involves injecting malicious XML into HTML documents, which are used for web content. The attacker can then use this XML to modify the appearance or behavior of the page, potentially causing damage or stealing data.

Practicing in test for XML Injection

Create your own vulnerable application:
You can create a simple web application that is vulnerable to XML Injection and use it to practice testing for these vulnerabilities. There are many resources available online that can help you learn how to build web applications with vulnerabilities, such as the OWASP WebGoat project.

Use a vulnerable application:
There are many vulnerable applications available for download that you can use to practice testing for XML Injection vulnerabilities. Some examples include Damn Vulnerable Web App (DVWA), Mutillidae, and Web Security Dojo.

Use a web application scanner:
There are many web application scanners available that can automatically test for XML Injection vulnerabilities, such as Burp Suite, OWASP ZAP, and Acunetix. You can use these tools to scan your own web applications or vulnerable applications to practice identifying and exploiting XML Injection vulnerabilities.

Participate in online challenges:
There are many online challenges and CTFs (Capture the Flag competitions) that include XML Injection challenges. These challenges can be a fun way to practice testing for vulnerabilities and competing with others to see who can solve them the fastest.

For study XML Injection

OWASP: The Open Web Application Security Project (OWASP) is a non-profit organization that provides resources and tools to help improve the security of software. Their website includes a number of resources related to XML Injection, including a page dedicated to this topic. The page includes information on what XML Injection is, how it works, and how to prevent it.

WebGoat: WebGoat is a deliberately insecure web application that can be used for learning about web application security. The application includes a number of lessons related to XML Injection, which can help you learn about this vulnerability in a hands-on way.

Online courses: There are many online courses available that can help you learn about web application security and XML Injection. Some examples include courses offered by Udemy, Coursera, and Pluralsight.

Books: There are many books available on the topic of web application security and XML Injection. Some popular books include “Web Application Security, A Beginner’s Guide” by Bryan Sullivan and Vincent Liu, “Hacking Exposed Web Applications” by Joel Scambray, Mike Shema, and Caleb Sima, and “The Web Application Hacker’s Handbook” by Dafydd Stuttard and Marcus Pinto.

Conferences and meetups: Attending security conferences and local meetups can be a great way to learn about XML Injection vulnerabilities and other security topics. These events often feature talks and workshops on specific security topics, including XML Injection.

Books with review of XML Injection

“Web Application Security: A Beginner’s Guide” by Bryan Sullivan and Vincent Liu – This book provides an introduction to web application security and includes a section on XML Injection. It is a great starting point for those new to web application security.

“Hacking Exposed Web Applications” by Joel Scambray, Mike Shema, and Caleb Sima – This book provides a detailed overview of web application security, including coverage of XML Injection. It is a comprehensive resource for anyone interested in learning about web application security.

“The Web Application Hacker’s Handbook” by Dafydd Stuttard and Marcus Pinto – This book is a comprehensive guide to web application security testing, including coverage of XML Injection. It is an essential resource for anyone interested in web application security.

“Cross Site Scripting Attacks: XSS Exploits and Defense” by Seth Fogie, Jeremiah Grossman, and Robert Hansen – This book covers cross-site scripting attacks, which can be used to exploit XML Injection vulnerabilities. It is a great resource for those looking to learn about web application security in general.

“XSLT Cookbook” by Sal Mangano – This book covers the use of XSLT, which can be used to transform XML documents. It is a valuable resource for those looking to learn about XML and related technologies.

“Web Security, Privacy & Commerce” by Simson Garfinkel and Gene Spafford – This book covers a wide range of web security topics, including XML Injection. It is a valuable resource for those interested in web application security.

“Professional XML Development with Apache Tools: Xerces, Xalan, FOP, Cocoon, Axis, Xindice” by Theodore W. Leung and Scott Ganyo – This book covers the use of Apache tools for XML development. It is a valuable resource for developers working with XML.

“XML Processing with Python” by Sean McGrath – This book covers the use of Python for XML processing, including coverage of XML Injection. It is a great resource for those interested in both Python and XML.

“The XML Handbook” by Charles F. Goldfarb, Paul Prescod, and Steve DeRose – This book is a comprehensive guide to XML and related technologies. It is a valuable resource for those looking to learn about XML in general.

“XML Pocket Reference” by Simon St. Laurent and Michael Fitzgerald – This book is a concise reference guide to XML and related technologies. It is a great resource for those looking for a quick reference guide to XML.

List of payloads XML Injection

  1. <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]><foo>&xxe;</foo> This payload includes a DTD (Document Type Definition) that defines an external entity called “xxe”. This entity references the file “/etc/passwd” which can be used to retrieve sensitive information.

  2. <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo> This payload is similar to the first one but it also defines the “foo” element as having ANY content. This can allow an attacker to inject arbitrary XML into the document.

  3. <foo><bar><![CDATA[<]]>script<![CDATA[>]]>alert('XSS')<![CDATA[<]]>/script<![CDATA[>]]></bar></foo> This payload attempts to inject a script tag into the document using CDATA sections to bypass any encoding or filtering that may be in place.

  4. <foo><bar>&#x3c;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3e;alert('XSS')&#x3c;/&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3e;</bar></foo> This payload is similar to the previous one but uses Unicode encoding to represent the characters “<” and “>”. This can be used to bypass some types of input validation.

  5. <foo><bar><![CDATA[<!ENTITY xxe SYSTEM "file:///etc/passwd">]]>&xxe;</bar></foo> This payload attempts to define an external entity directly within an element of the XML document. This can be used to bypass filters that only look for entities defined in the DTD.

How to be protected from XML Injection

  1. Validate input: Validate all input that is passed to an XML parser. This includes validating against an XML schema or DTD, as well as checking for well-formedness.

  2. Avoid inline DTDs: Avoid using inline DTDs as they can be used to define entities that may allow an attacker to access sensitive data.

  3. Disable external entities: Disable the processing of external entities in the XML parser. This can be done by setting the “EXTERNAL_ENTITIES” feature to false.

  4. Use whitelisting: Use a whitelist of allowed characters or patterns for input fields to prevent injection attacks.

  5. Filter user input: Filter user input to remove potentially harmful characters, such as “<” and “>”. This can be done by encoding the input before it is passed to the XML parser.

  6. Use a dedicated XML library: Use a dedicated XML library to parse XML documents instead of building custom parsers. These libraries often have built-in protections against common XML injection attacks.

  7. Limit access to sensitive data: Limit access to sensitive data and files by configuring appropriate file permissions and access controls.

Mitigations for XML Injection

  1. Avoid using DTDs: DTDs (Document Type Definitions) can be used to define external entities that can be exploited by attackers. Avoid using DTDs whenever possible.

  2. Use XML Schema Validation: Use an XML schema to validate input and prevent malicious content from being processed. XML schema validation is more secure than DTD validation as it is not vulnerable to XXE (XML External Entity) attacks.

  3. Use a secure XML parser: Use a secure XML parser that has been designed with security in mind. Some popular secure parsers include Xerces, XMLSec, and libxml2.

  4. Disable external entity processing: Disable the processing of external entities in the XML parser. This can be done by setting the “EXTERNAL_ENTITIES” feature to false.

  5. Filter user input: Filter user input to remove potentially harmful characters, such as “<” and “>”. This can be done by encoding the input before it is passed to the XML parser.

  6. Use whitelisting: Use a whitelist of allowed characters or patterns for input fields to prevent injection attacks.

  7. Limit access to sensitive data: Limit access to sensitive data and files by configuring appropriate file permissions and access controls.

  8. Use encryption: Use encryption to protect sensitive data that is stored or transmitted in XML documents.

Conclusion

XML Injection is a type of injection attack that targets XML-based applications. It occurs when an attacker injects malicious XML data into an XML document, which can cause the application to behave in unexpected ways. XML Injection attacks can be used to extract sensitive data, execute unauthorized code, and take over the system.

To prevent XML Injection attacks, it is important to validate all input, avoid using DTDs, use a secure XML parser, and filter user input. It is also important to limit access to sensitive data and use encryption to protect data that is stored or transmitted in XML documents.

To practice and learn more about XML Injection, it is recommended to use test environments, read books and articles on the subject, and take part in online courses and trainings. By following these best practices and staying informed about the latest security threats, you can help protect your applications and data from XML Injection attacks.

Other Services

Ready to secure?

Let's get in touch