Buffl
Buffl
Security Testing

XML-Processing

LT
by Lukas T.

Describe how an XML injection attack can be performed.

An XML injection attack happens when a user inputs malicious XML tags into a web application. These tags trick the XML parser into altering the document’s structure.

  • Example: If a user enters 1</quantity><price>1.0</price> into a "quantity" field, the XML becomes:

    <quantity>1</quantity><price>1.0</price><quantity>1</quantity>

Run HTML

This adds a fake <price> tag, overriding the original price (e.g., changing it from 500.0 to 1.0).

Describe how an XML External Entity (XEE) attack can be performed.

An XEE attack exploits external entities in XML to access sensitive files or resources.

  • Example:

    <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]> <Hack>&xxe;</Hack>

Run HTML

Here, the XML defines an entity xxe that points to the server’s /etc/passwd file. When parsed, the server replaces &xxe; with the file’s contents, leaking sensitive data.

Describe how an XML Bomb attack can be performed.

An XML Bomb uses nested entities to create exponential growth in data, crashing the server.

  • Example:

    <!ENTITY lo1 "lo1">

    <!ENTITY lo2 "&lo1;&lo1;&lo1;&lo1;">

    ...

    <!ENTITY lo10 "&lo9;&lo9;&lo9;&lo9;">

Run HTML

Each entity references multiply previous ones. Parsing &lo10; would expand to billions of characters, consuming massive memory and causing a denial-of-service (DoS).

Describe how an XSD validation can be used to prevent XML injection attacks.

XSD validation checks if XML follows strict rules (elements, data types, structure).

  • Example: If an XSD specifies that <quantity> must be a number, injecting tags like <price>1.0</price> would violate the schema. The parser rejects the XML, blocking the attack.


How can XSD inheritance of simple types improve the input validation of XML

messages (give an example)?

XSD allows creating custom simple types with strict rules using facets.

  • Example:

    <xs:simpleType name="PhoneNumber"> <xs:restriction base="xs:string"> <xs:pattern value="[0-9]{3}-[0-9]{3}-[0-9]{4}"/> </xs:restriction> </xs:simpleType>

Run HTML

This defines a PhoneNumber type that only accepts values like 123-456-7890. Any invalid input (e.g., letters) is rejected, improving security.


XSD validation acts like a "rulebook" for XML, blocking attacks by enforcing structure and data rules.



(restriction means we throw away all the elements from the base class and only keep the one listed)

Join Course
Preview

Author

Lukas T.

Information

Last changed

Report course
© 2023 Buffl GmbH