Lists,
I've been playing around with the idea of writing an XXE [0]
detection plugin for w3af all evening, but I can't really decide if it
is worth it.
Have you guys seen these type of vulnerabilities in the wild? If
so, how? Most of the public vulnerabilities I see are exploited in
this form:
"""
POST /xmlrpc_server.php HTTP/1.1
Host: $host
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT methodName ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<methodCall>
<methodName>&xxe;</methodName>
</methodCall>
"""
Which basically means that the vulnerable source code looks like:
"""
<?
...
$xml = simplexml_load_file("php://input");
...
echo $some_part_of_the_xml;
?>
"""
So our audit plugin should send the xml with the external entity
as the post-data to all URLs? I can't find a realistic example where
it would make sense to send the custom-xml to one of these:
- Query string parameter: http://host/index.aspx?id=<?xml...>
- HTML Form with url-encoding: http://host/index.aspx with post-data
name=<?xml...>&lastname=doe&age=32
- HTML Form with file input, where the uploaded file contains the XML
(could... maybe work in some cases... but most likely the /etc/passwd
file won't be echoed back in the response).
What do you think? Ideas?
[0] https://www.owasp.org/index.php/Testing_for_XML_Injection_%28OWASP-DV-008%29
Regards,
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
