December 2012
Intermediate to advanced
552 pages
13h 16m
English
Content preview from Web Application Defender's CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Recipe 9-9: Preventing XML Attacks
This recipe shows how you can tell when attackers are attempting to send injection attacks within XML payloads.
Ingredients
- OWASP ModSecurity Core Rule Set (CRS)
- ModSecurity
- XML variable
- @validateSchema operator
- @rx operator
CAPEC-83: XPath Injection
An attacker can craft special user-controllable input consisting of XPath expressions to inject the XML database and bypass authentication or glean information that he normally would not be able to. XPath Injection enables an attacker to talk directly to the XML database, thus bypassing the application completely. XPath Injection results from the failure of an application to properly sanitize input used as part of dynamic XPath expressions used to query an XML database.
Sample Attacks
Let’s look at a web service that sends XML data in POST requests:
POST /axis/getBalance.jws HTTP/1.0 Content-Type: text/xml; charset=utf-8 SOAPAction: "" Content-Length: 576 Expect: 100-continue Host: www.bluebank.example.com <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/ " xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://www.bluebank.example.com/axis/getBalance.jws" xmlns:types=" http://www.bluebank.example.com/axis/getBalance.jws/encodedTypes" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/ ...