axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rogan Dawes <li...@dawes.za.net>
Subject Re: Security: Axis robustness against duplicated elements?
Date Tue, 25 Oct 2005 08:41:54 GMT
Steve Loughran wrote:
> Rogan Dawes wrote:
> 
>> Hi folks,
>>
>> I recently attended a presentation at the OWASP (Open Web Application
>> Security Project) Conference in Washington, and the presenter showed an
>> attack scenario involving injection of repeated elements into the XML
>> document.
>>
>> The idea is that if the web service client is careless about
>> constructing the XML that it sends to the backend service, it might be
>> possible to inject additional XML nodes into the document, and overwrite
>> data from previous nodes. This is as a result of Axis (or other toolkit)
>> using SAX events to parse XML.
>>
>> Here is an example:
>>
>> <UserRecord>
>>     <UniqueID>12345</UniqueID>
>>     <Name>Henry Ackerman</Name>
>> <Email>hackerman@bad.com</Email><UniqueID>0</UniqueID><Email>hackerman@bad.com</Email>

>>
>>     <Address>123 Disk Drive</Address>
>>     <ZipCode>98103</ZipCode>
>>     <PhoneNumber>206-123-4567</PhoneNumber>
>> </UserRecord>
>>
>> The email address is controlled by the attacker, and is submitted as:
>>
>> hackerman@bad.com</Email><UniqueID>0</UniqueID><Email>hackerman@bad.com
>>
>> Which, when inserted into the document above, as you can see, results in
>> the UniqueID being overwritten.
>>
>> I have done some minor experimentation with this, and have been
>> successful in doing the same thing.
>>
>> It seems to me that it would be possible to set a flag when a variable
>> is set for the first time, and throw an exception if anyone tries to
>> reset it? Does this seem reasonable? Maybe it could be an optional 
>> setting.
>>
> 
> The only security issue here is if the attacker is not the submitter 
> -the submitter can submit invalid XML the first time round.
> 
> I presume this is a bit like SQL attacks: data from a form being blindly 
> inserted into something without enough validation of valid chars.
> 
> I think Axis will actually escape XML <> delimiters when converting a 
> string parameter, just like most XML tools do when marshalling stuff. So 
> the message would be
> <Email>hackerman@bad.com<&lt;/Email&gt;&lt;UniqueID&gt;0&lt/UniqueID&gt;&lt;Email&gthackerman@bad.com</Email>

> 
> 
> Which is a lot less of a problem.

It might not be a problem with Axis as the client, but it might be with 
a different implementation that simply concatentates a preconstructed 
template, indeed, ala SQL injection.

I still feel that Axis could be doing something on the server side to 
detect and react to this.

How difficult would it be to insert some automatically generated code in 
the deserialiser that ensures that a field is only set once?

As mentioned previously, this could be entirely optional for those that 
are not concerned about attack, if it causes a performance hit.

Regards,

Rogan

Mime
View raw message