Tuesday, December 20, 2011

XML injection attack types

Attack Scenario
In a web server framework, XML document are passed for client o server in the form of a SOAP request. XML is then processed within the web service, opening it to an array of XML based attacks.  Below are types of XML parser streams and their attack vectors.

Exploiting XML Parsers
XML Streams are parsed at some point within the application logic, and it can be certain that an attacker will attempt at breaking the web service or its assumptions within the parsing logic.
There are two types of XML parsers widely used and they are DOM and SAX.

DOM XML Parser:
DOM based XML parsers load the entire XML stream into memory, creating hierarchies objects that is referenced within the application logic. A Very obvious attack vector is inputting large XML files to consume heavy server side resources during parsing, resulting in a DOS attack.
This can be done by either
·         Repeated notes can be used to input a large number of files during the transaction
·         Recursion of XML elements, resulting in more processing overhead
SAX Based Parsing:
SAX based parsing method is not susceptible to DOS attack as DOM does. SAX is event driven meaning they parse the XML stream as needed, thus holding a maximum of two elements in memory at a given time. But they are subjected to XML injection
In XML injection attack, a user will attempt to spoil the XML stream by inputting data that will overwrite the static portions of the stream.  
At instances even DOM is prone to XML injection by exploiting the parsing logic.

Exploiting XML Validators
XML Streams are normally validated against certain rules before being used by the application. This is to ensure that data is complete and the assumptions the application makes about the data are met.  Thus an attacker may attempt to break or by pas the validation, resulting in unexpected input to the application logic.
Document Type Definition (DTD) is a common validation method that is most prone to attack and hence better to be avoided.