Posts

Showing posts from February, 2010

XML Injection

Image
Description:

XML Injection is an attack technique used to manipulate or compromise the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter the intend logic of the application. Further, XML injection can cause the insertion of malicious content into the resulting message/document.


How to Exploit:

Inserting hacker@evil.com</Email><UniqueID>0</UniqueID><Email>hacker@evil.com in Email field will yield the following result:

<UserRecord>
<UniqueID>123</UniqueID>
<Name>Henry Ackerman</Name><Email>hacker@evil.com</Email><UniqueID>0</UniqueID><Email>hacker@evil.com&lt;/Email>
<Address>123 Disk Drive</Address>
<ZipCode>98103</ZipCode>
<PhoneNumber>206-123-4567</PhoneNumber>
</UserRecord>

This will add more one record in XML database with UniqueID=0.


One Live Example:

In order of doing a Web…

Reflected XSS on SearchSecurity.com

Image
SearchSecurity.com- A prominent online Information Security website which is resource for IT Security professionals for latest security news,attacks,security topics,whitepapers etc is itself vulnerable to reflected XSS.
The XSS is possible in response page which gives error message if the login fails.

An error page, which is handling requests for a non existing pages, a classic 404 error page.



If we request some non-existent the application returns following response:

Requesting http://example.com/non-existent_page.htm will return

Sorry non_existent_page not available

Here the application is embedding the requested page's name in the response.So if a user requests http://example.com/<script>alert("XSS in reponse page");</script> the application will execute the script when returning a response to the user.

Similarly the Login page of the SearchSecurity.com returns error message in response page.

....html?Error=Password+provided+is+incorrect.

So replacing it with

....…