Win a copy of The Java Performance Companion this week in the Performance forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Web Service Security - xml entity injection Attack

 
Mat Anthony
Ranch Hand
Posts: 261
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All,
I have created a web service that is currently vulnerable to xml entity injection attack.
In the example below the xml in the entity part of the soap package allows access to the c drive of the hosting web service.
I'm currently developing web services using axis 1.4. How can I prevent this form of attack.




Mat
 
Tim Moores
Bartender
Posts: 2842
46
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The server should validate what it gets from the client, and reject anything that is suspicious.
 
Mat Anthony
Ranch Hand
Posts: 261
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Tim,
thanks for the response. How would the server validate what is received from the client and reject anything else?

Mat
 
Tim Moores
Bartender
Posts: 2842
46
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well, there must be some code that handles the value of "sport:user" - a web service should validate that value just like a normal web app would do with anything that is entered by a user.
 
Mat Anthony
Ranch Hand
Posts: 261
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Tim,
i have done some security checks and found that by using xml entity injection I can gain access to the servers c drive and view all the dir and files.
Hence the client web service request, I dont think will get to the internal web service, to carry out validation.

Mat
 
Tim Moores
Bartender
Posts: 2842
46
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm confused - if you "can gain access to the servers c drive", then there must be some server side code that allows you to do so, no? Is that code under your control? If so, some changes in order to prevent that should be possible ... ?
 
William Brogden
Author and all-around good cowpoke
Rancher
Posts: 13064
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In your example, what code is looking at sport:user contents?

Seems to me that if all else fails, the web service can define a java.lang.SecurityManager that controls what files and directories the service code can access.

Bill
 
Mat Anthony
Ranch Hand
Posts: 261
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Bill & Tim,
had a look at the problem again. The reponse that is comming back to the client is a soap package containing the contents of the c directory.
I did some digging and found out that the xxe12345 data within <sport:user tag is being replaced with the content in schema ENTITY (i.e. file:///c:/).
It looks as if you can put anything inbetween the & ; and it gets executed.
To avoid this problem the line

Needs to be stripped out and replaced with something less offensive.

I found the following link "Web Services Vulnerabilities" that seems to cover a lot of the threats to web services.
I still have to read it yet, but it looks like a must read.
http://www.blackhat.com/presentations/bh-europe-07/Bhalla-Kazerooni/Whitepaper/bh-eu-07-bhalla-WP.pdf

Mat



 
Tim Moores
Bartender
Posts: 2842
46
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Mat Anthony wrote:It looks as if you can put anything inbetween the & ; and it gets executed.

That's the key point we're trying to get at: *what* is executing anything? Is that software that's under your control? Or is your code just a client to that web service? I don't think there's any piece of WS infrastructure that just takes a string like "file:///c:/" and decides to interpret that as a command to execute a directory listing. Someone must have programmed it that way, and apparently in an insecure way.
 
Mat Anthony
Ranch Hand
Posts: 261
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Tim,
the code is under my control. I deployed the webservice to a local server within our intranet. Some penetration testing was carried out from the internet to determine how secure it would be and I got these results.
I will debug the code to see at what point this is happening.

Mat
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic