Security: Axis robustness against duplicated elements?

[Rogan Dawes <li...@dawes.za.net>]

Hi folks,

I recently attended a presentation at the OWASP (Open Web Application
Security Project) Conference in Washington, and the presenter showed an
attack scenario involving injection of repeated elements into the XML
document.

The idea is that if the web service client is careless about
constructing the XML that it sends to the backend service, it might be
possible to inject additional XML nodes into the document, and overwrite
data from previous nodes. This is as a result of Axis (or other toolkit)
using SAX events to parse XML.

Here is an example:

<UserRecord>
     <UniqueID>12345</UniqueID>
     <Name>Henry Ackerman</Name>
<Email>hackerman@bad.com</Email><UniqueID>0</UniqueID><Email>hackerman@bad.com</Email>
     <Address>123 Disk Drive</Address>
     <ZipCode>98103</ZipCode>
     <PhoneNumber>206-123-4567</PhoneNumber>
</UserRecord>

The email address is controlled by the attacker, and is submitted as:

hackerman@bad.com</Email><UniqueID>0</UniqueID><Email>hackerman@bad.com

Which, when inserted into the document above, as you can see, results in
the UniqueID being overwritten.

I have done some minor experimentation with this, and have been
successful in doing the same thing.

It seems to me that it would be possible to set a flag when a variable
is set for the first time, and throw an exception if anyone tries to
reset it? Does this seem reasonable? Maybe it could be an optional setting.

Thoughts?

Rogan

Re: Security: Axis robustness against duplicated elements?

[Rogan Dawes <li...@dawes.za.net>]

Steve Loughran wrote:

> Rogan Dawes wrote:
>
>> Hi folks,
>>
>> I recently attended a presentation at the OWASP (Open Web Application
>> Security Project) Conference in Washington, and the presenter showed an
>> attack scenario involving injection of repeated elements into the XML
>> document.
>>
>> The idea is that if the web service client is careless about
>> constructing the XML that it sends to the backend service, it might be
>> possible to inject additional XML nodes into the document, and overwrite
>> data from previous nodes. This is as a result of Axis (or other toolkit)
>> using SAX events to parse XML.
>>
>> Here is an example:
>>
>> <UserRecord>
>>     <UniqueID>12345</UniqueID>
>>     <Name>Henry Ackerman</Name>
>> <Email>hackerman@bad.com</Email><UniqueID>0</UniqueID><Email>hackerman@bad.com</Email> 
>>
>>     <Address>123 Disk Drive</Address>
>>     <ZipCode>98103</ZipCode>
>>     <PhoneNumber>206-123-4567</PhoneNumber>
>> </UserRecord>
>>
>> The email address is controlled by the attacker, and is submitted as:
>>
>> hackerman@bad.com</Email><UniqueID>0</UniqueID><Email>hackerman@bad.com
>>
>> Which, when inserted into the document above, as you can see, results in
>> the UniqueID being overwritten.
>>
>> I have done some minor experimentation with this, and have been
>> successful in doing the same thing.
>>
>> It seems to me that it would be possible to set a flag when a variable
>> is set for the first time, and throw an exception if anyone tries to
>> reset it? Does this seem reasonable? Maybe it could be an optional 
>> setting.
>>
>
> The only security issue here is if the attacker is not the submitter 
> -the submitter can submit invalid XML the first time round.
>
> I presume this is a bit like SQL attacks: data from a form being 
> blindly inserted into something without enough validation of valid chars.
>
> I think Axis will actually escape XML <> delimiters when converting a 
> string parameter, just like most XML tools do when marshalling stuff. 
> So the message would be
> <Email>hackerman@bad.com<&lt;/Email&gt;&lt;UniqueID&gt;0&lt/UniqueID&gt;&lt;Email&gthackerman@bad.com</Email> 
>
>
> Which is a lot less of a problem.

This assumes that Axis is the client, which may not always be the case. 
At least the server/web service could be made to be robust in this instance.

Rogan

Re: Security: Axis robustness against duplicated elements?

[Rogan Dawes <li...@dawes.za.net>]

Steve Loughran wrote:
> Rogan Dawes wrote:
> 
>> Hi folks,
>>
>> I recently attended a presentation at the OWASP (Open Web Application
>> Security Project) Conference in Washington, and the presenter showed an
>> attack scenario involving injection of repeated elements into the XML
>> document.
>>
>> The idea is that if the web service client is careless about
>> constructing the XML that it sends to the backend service, it might be
>> possible to inject additional XML nodes into the document, and overwrite
>> data from previous nodes. This is as a result of Axis (or other toolkit)
>> using SAX events to parse XML.
>>
>> Here is an example:
>>
>> <UserRecord>
>>     <UniqueID>12345</UniqueID>
>>     <Name>Henry Ackerman</Name>
>> <Email>hackerman@bad.com</Email><UniqueID>0</UniqueID><Email>hackerman@bad.com</Email> 
>>
>>     <Address>123 Disk Drive</Address>
>>     <ZipCode>98103</ZipCode>
>>     <PhoneNumber>206-123-4567</PhoneNumber>
>> </UserRecord>
>>
>> The email address is controlled by the attacker, and is submitted as:
>>
>> hackerman@bad.com</Email><UniqueID>0</UniqueID><Email>hackerman@bad.com
>>
>> Which, when inserted into the document above, as you can see, results in
>> the UniqueID being overwritten.
>>
>> I have done some minor experimentation with this, and have been
>> successful in doing the same thing.
>>
>> It seems to me that it would be possible to set a flag when a variable
>> is set for the first time, and throw an exception if anyone tries to
>> reset it? Does this seem reasonable? Maybe it could be an optional 
>> setting.
>>
> 
> The only security issue here is if the attacker is not the submitter 
> -the submitter can submit invalid XML the first time round.
> 
> I presume this is a bit like SQL attacks: data from a form being blindly 
> inserted into something without enough validation of valid chars.
> 
> I think Axis will actually escape XML <> delimiters when converting a 
> string parameter, just like most XML tools do when marshalling stuff. So 
> the message would be
> <Email>hackerman@bad.com<&lt;/Email&gt;&lt;UniqueID&gt;0&lt/UniqueID&gt;&lt;Email&gthackerman@bad.com</Email> 
> 
> 
> Which is a lot less of a problem.

It might not be a problem with Axis as the client, but it might be with 
a different implementation that simply concatentates a preconstructed 
template, indeed, ala SQL injection.

I still feel that Axis could be doing something on the server side to 
detect and react to this.

How difficult would it be to insert some automatically generated code in 
the deserialiser that ensures that a field is only set once?

As mentioned previously, this could be entirely optional for those that 
are not concerned about attack, if it causes a performance hit.

Regards,

Rogan

Re: Security: Axis robustness against duplicated elements?

[Steve Loughran <st...@apache.org>]

Rogan Dawes wrote:
> Hi folks,
> 
> I recently attended a presentation at the OWASP (Open Web Application
> Security Project) Conference in Washington, and the presenter showed an
> attack scenario involving injection of repeated elements into the XML
> document.
> 
> The idea is that if the web service client is careless about
> constructing the XML that it sends to the backend service, it might be
> possible to inject additional XML nodes into the document, and overwrite
> data from previous nodes. This is as a result of Axis (or other toolkit)
> using SAX events to parse XML.
> 
> Here is an example:
> 
> <UserRecord>
>     <UniqueID>12345</UniqueID>
>     <Name>Henry Ackerman</Name>
> <Email>hackerman@bad.com</Email><UniqueID>0</UniqueID><Email>hackerman@bad.com</Email> 
> 
>     <Address>123 Disk Drive</Address>
>     <ZipCode>98103</ZipCode>
>     <PhoneNumber>206-123-4567</PhoneNumber>
> </UserRecord>
> 
> The email address is controlled by the attacker, and is submitted as:
> 
> hackerman@bad.com</Email><UniqueID>0</UniqueID><Email>hackerman@bad.com
> 
> Which, when inserted into the document above, as you can see, results in
> the UniqueID being overwritten.
> 
> I have done some minor experimentation with this, and have been
> successful in doing the same thing.
> 
> It seems to me that it would be possible to set a flag when a variable
> is set for the first time, and throw an exception if anyone tries to
> reset it? Does this seem reasonable? Maybe it could be an optional setting.
> 

The only security issue here is if the attacker is not the submitter 
-the submitter can submit invalid XML the first time round.

I presume this is a bit like SQL attacks: data from a form being blindly 
inserted into something without enough validation of valid chars.

I think Axis will actually escape XML <> delimiters when converting a 
string parameter, just like most XML tools do when marshalling stuff. So 
the message would be
<Email>hackerman@bad.com<&lt;/Email&gt;&lt;UniqueID&gt;0&lt/UniqueID&gt;&lt;Email&gthackerman@bad.com</Email> 


Which is a lot less of a problem.