Web application security - the fast guide 1.1 | Page 149
Chapter 7 - Attack execution (3)
P a g e | 149
The main problem here is the echo functionality when part of the server
response contains the requested search string. In this case an attack named XXE
(external Entity Injection) can be applicable.
Attack requirement:
A. Usage of XML format in the request
B. No validation for SYSTEM or ENTITY keywords.
C. Echo functionality is available.
Attack Process
the attacker uses a definition header in the XML request using the DOCTYPE
keyword
]>
This definition will make any usage of ampersand with the entity reference
parsed as the entity value.
The dangerous part is that entities can be defined using external reference using
the SYSTEM keyword and the standard URL format with (file:) protocol.
A simple example about this type of usage is the following listing that illustrates
the usage of XML format in an HTTP request to send data to a search page
POST /search/searchPage.ashx HTTP/1.1
Host: victim.com
Content-Type: text/xml; charset=UTF-8
Content-Length:117
]>
&xxe
The result will be returning the contents of win.ini file as part of the server
response.
7.9 Attack SOAP Services
SOAP stands for simple object access protocol which is an encapsulation
technique to facilitate message based communications, it can be used to
integrate different system with different platforms
Attack requirement:
No validation on the parameters values.
Attack process
The attack depends on injecting an XML tags inside the URL calling the web
service which will cause affecting the transferred message and trick the victim
system.