It's not a secret anymore!*
The moose likes Web Services and the fly likes Web Service Security - xml entity injection Attack Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Java » Web Services
Bookmark "Web Service Security - xml entity injection Attack" Watch "Web Service Security - xml entity injection Attack" New topic
Author

Web Service Security - xml entity injection Attack

Mat Anthony
Ranch Hand

Joined: May 21, 2008
Posts: 237
Hi All,
I have created a web service that is currently vulnerable to xml entity injection attack.
In the example below the xml in the entity part of the soap package allows access to the c drive of the hosting web service.
I'm currently developing web services using axis 1.4. How can I prevent this form of attack.




Mat
Tim Moores
Rancher

Joined: Sep 21, 2011
Posts: 2408
The server should validate what it gets from the client, and reject anything that is suspicious.
Mat Anthony
Ranch Hand

Joined: May 21, 2008
Posts: 237
Hi Tim,
thanks for the response. How would the server validate what is received from the client and reject anything else?

Mat
Tim Moores
Rancher

Joined: Sep 21, 2011
Posts: 2408
Well, there must be some code that handles the value of "sport:user" - a web service should validate that value just like a normal web app would do with anything that is entered by a user.
Mat Anthony
Ranch Hand

Joined: May 21, 2008
Posts: 237
Hi Tim,
i have done some security checks and found that by using xml entity injection I can gain access to the servers c drive and view all the dir and files.
Hence the client web service request, I dont think will get to the internal web service, to carry out validation.

Mat
Tim Moores
Rancher

Joined: Sep 21, 2011
Posts: 2408
I'm confused - if you "can gain access to the servers c drive", then there must be some server side code that allows you to do so, no? Is that code under your control? If so, some changes in order to prevent that should be possible ... ?
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12803
    
    5
In your example, what code is looking at sport:user contents?

Seems to me that if all else fails, the web service can define a java.lang.SecurityManager that controls what files and directories the service code can access.

Bill
Mat Anthony
Ranch Hand

Joined: May 21, 2008
Posts: 237
Hi Bill & Tim,
had a look at the problem again. The reponse that is comming back to the client is a soap package containing the contents of the c directory.
I did some digging and found out that the xxe12345 data within <sport:user tag is being replaced with the content in schema ENTITY (i.e. file:///c:/).
It looks as if you can put anything inbetween the & ; and it gets executed.
To avoid this problem the line

Needs to be stripped out and replaced with something less offensive.

I found the following link "Web Services Vulnerabilities" that seems to cover a lot of the threats to web services.
I still have to read it yet, but it looks like a must read.
http://www.blackhat.com/presentations/bh-europe-07/Bhalla-Kazerooni/Whitepaper/bh-eu-07-bhalla-WP.pdf

Mat



Tim Moores
Rancher

Joined: Sep 21, 2011
Posts: 2408
Mat Anthony wrote:It looks as if you can put anything inbetween the & ; and it gets executed.

That's the key point we're trying to get at: *what* is executing anything? Is that software that's under your control? Or is your code just a client to that web service? I don't think there's any piece of WS infrastructure that just takes a string like "file:///c:/" and decides to interpret that as a command to execute a directory listing. Someone must have programmed it that way, and apparently in an insecure way.
Mat Anthony
Ranch Hand

Joined: May 21, 2008
Posts: 237
Hi Tim,
the code is under my control. I deployed the webservice to a local server within our intranet. Some penetration testing was carried out from the internet to determine how secure it would be and I got these results.
I will debug the code to see at what point this is happening.

Mat
 
 
subject: Web Service Security - xml entity injection Attack