[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] PAPER: Attacking Server Side XML Parsers
- To: "HI-TECH ." <isowarez.isowarez.isowarez@xxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] PAPER: Attacking Server Side XML Parsers
- From: Chris Evans <scarybeasts@xxxxxxxxx>
- Date: Tue, 1 Feb 2011 19:24:40 -0800
On Tue, Feb 1, 2011 at 5:55 PM, HI-TECH . <
isowarez.isowarez.isowarez@xxxxxxxxxxxxxx> wrote:
> Hello lists,
>
> the paper included in this email discusses as the subject describes the
> issues of XML Parsers and how they can be exploited in a web
> application environment.
> >From the Preface:
>
> During the audit of web applications one might come across an
> application which handles XML files.
> Specifically there can be an application which allows uploading XML
> files which are thereafter inserted
> into a database and used for later displaying on the front end of the
> application viewable by the user.
> I came across a significant “vulnerability class” which allows an
> attacker (or penetration tester) to
> evoke a scenario which will give access to all files on the underlying
> file system which the application
> server runs as. This includes (in the case the application is
> programmed in the Java language) access
> to directory listings as well.
>
> Any pointers if this was helpful to you are appriciated.
>
This attack is called XXE (Xml eXternal Entity).
It's depressing because it's been known about since at least 2002 (
http://archive.cert.uni-stuttgart.de/bugtraq/2002/10/msg00421.html), yet it
still keeps rearing its head. There's also the "billion laughs" attack which
is a variant that consumes excessive server-side resource.
There have also been client-side examples of this attack, including in
Safari and (IIRC) Adobe Reader.
Cheers
Chris
>
>
> Best Regards,
>
> Kingcope
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/