Consider the below piece of XML code.

<!DOCTYPE foo [

<!ENTITY a "1234567890" >

<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;" >

<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;" >

<!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;" >

<!ENTITY e "&d;&d;&d;&d;&d;&d;&d;&d;" >

<!ENTITY f "&e;&e;&e;&e;&e;&e;&e;&e;" >

<!ENTITY g "&f;&f;&f;&f;&f;&f;&f;&f;" >

<!ENTITY h "&g;&g;&g;&g;&g;&g;&g;&g;" >

<!ENTITY i "&h;&h;&h;&h;&h;&h;&h;&h;" >

<!ENTITY j "&i;&i;&i;&i;&i;&i;&i;&i;" >

<!ENTITY k "&j;&j;&j;&j;&j;&j;&j;&j;" >

<!ENTITY l "&k;&k;&k;&k;&k;&k;&k;&k;" >

<!ENTITY m "&l;&l;&l;&l;&l;&l;&l;&l;" >

]>

<foo>&m;</foo>

The above does look like some garbage but when this data is parsed by your XML parser, it has the potential to use up all your CPU and get your XML service down.

Does this get your attention? Ok, now let us what is so scary about this innocent looking code.

DOCTYPE:

People who are familiar with DOCTYPE, DTD and Entities can move on to the next passage. For others, I will try to give a little background on this.

A XML document is made up building blocks called Elements. Each element can have one to many attributes and zero –to-many child elements. The elements will also carry data. While XML is all about elements, data and its attributes, the definition of these elements is done in Document Type Definition (DTD). There is one other building block in XML called Entities. Entities are something like macros or alias. If you want to repeat the message ‘hi’ 1000 times in your XML, you can just define this string as an entity and specify it in your XML. While parsing, XML parser will take care of replacing the entity with ‘hi’ thousand times.

Code Explanation:

In the above code, while XML parses the entities, the entity ‘&m;’ will blow out to 687,194,767,360 in size. Expanding this entity would be a time consuming job for the CPU and it will go down. And so, we successfully brought down a system with a humble piece of code.

Remediation:

A soap message should actually make use of XSD schema and not DTD. Even if DTD is used, the XML parser shouldn’t encourage the use of entities. But there might be instances when entities are desired. In that case, the parser should limit the size of data it expands. Or set an Auto Timeout after which it will stop parsing to halt this denial of service attack.

But, in reality, how many parsers take care of this attack?

If you are a developer working on XML, you should know how to protect your application from XML based attacks. If you are not working on XML, its never too late to learn

Before we dive into XML Security, I will give a brief on what is XML.

XML:

XML stands for eXtensible Markup Language. This is the de-facto standard produced and specified by W3C to transport, store and carry data.

Applications:

XML is used extensively to transport data between applications, web services and is one of the components in web2.0 ajax based framworks. In this age, atleast 1/3 of the websites available on the internet would use XML in one form or other. These applications would not just use XML but rely on XML for their usability, availability and accuracy.

Since XML has become more important for an application, attackers are also more interested in exploiting XML data. While there are numerous examples on the internet to lanuch network based attacks and application based attacks, exploits against XML payloads (data) are very less in number.

In this series, we will see what kind of attacks are possible and how we can protect a XML payload against these attacks. Today, I will talk about one particular attack called ‘Parameter Tampering’.

Paramater Tampering:

This is not a new term to an application security professional. Ever since appsec consultants were born, they have been tampering with whatever data that comes to their hand. So, XML based tampering is no surprise.

So, what kind of acts are possible in this category?

1) Tweaking the XML elements, attributes or the text content to inject cross site scripting attack.

2) SQL Injection attack by tweaking the text content in XML.

3) Adding non-existent attributes or elements to an XML and checking whether it would cause DOS or information leakage.

4) Adding parameters that would make the XML malformed and check for exceptional conditions.

5) Inserting malicious special characters to check for malformed XML.

6) Using long attribute names or element names

7) Jumbo Payload (unclosed tags) and checking whether it cause DOS (denial of service).

The above (7) points are pretty self-explanatory and I hope I needn’t explain step by step. Now, that I have detailed these notorius acts, what do you think can protect your application from these acts?

Remediation:

The application should ensure that it checks for the correct element length, type, position, format and validate its XML data. Seems fair enough, isn’t it? In my next article, I would talk about another attack called ‘Entity Expansion’.

My learning source is my EC Council training and internet. So, I will take you on a tour by covering the below modules.

Off late, I am using ‘Microsoft Communicator’ to a great extent and I just can’t imagine how my life would be without it. Let me list out the features that I like here.

1) Group Chat – It’s there in other messengers too

2) Sharing Desktop and taking control – Since I work remotely, this is an indispensable feature. I use this to show demos, assign tasks to developers and in debugging.

3) Tag Contact – A trivia but yet so nice. I can keep a tab on a person to know his availability.

4) Its integrated with outlook..

I guess GTalk , Yahoo and MSN might offer some of the above features. But overall, I like Communicator the best.

“Celia, forget about security. Once you put your application on the web, no matter what you do, it is always vulnerable.”

Another one said, “Gosh! Remember that we are from the service industry. Lets not overdo on that security aspect. The client will take care of it when he deploys it. Also, remember, we can do only what they ask for.. “

As I pondered about this, I was wondering how I could strike a balance between these two people. Agreed, security is an ongoing thing. It seems like a race between the hackers and the crackers.. Today, we find a vulnerability and fix it. Tomorrow, there comes another issue.

Likewise, clients come in all flavors. There are some who really know a lot about what they want. These people are a delight to work with as their requirements are very clear. Also, they are quick to understand and know that building efficient security applications do take some royal effort. And there are some who think that application development shouldn’t take more than a week. There was this manager who once asked me, “After all, its just adding, editing, deleting and viewing. You are not doing rocket science. Why is it taking more time?”.

Yeah.. I agree to it. It would just take me one single query on the database to let an administrator login to a system. But it would take me atleast 10 other policy checks to prevent other users from manipulating this query. Wouldn’t this take some solid effort?

I hope people are atleast nodding a little now. Let me say one thing now. Even popular websites like gmail, facebook, youtube and msn have vulnerabilities. So, its not just because of a poor programmer’s pathetic code. Even experienced experts find it difficult to take care of all vulnerability issues when all their attention is focused on business logic.

In this case, what can be done? First thing:

Client: Client has to know that building secure web application takes some time. And some real effort.

Developer: The programmer needs to know how to secure their code and need to follow some security standard.

PM: The one who takes the real pressure. Needs to coordinate between the above two.

Security Consultant: The one who tells us what we already know .. well, jokes apart.. This is the person who makes our lives simpler. Who tells us what needs to be done to make our code secure and who reviews it before the app gets deployed in the production environment.

Now, just like how we have a separate team for application design, BI development and testing, we do need a separate group of security experts who concentrate just on the security aspect of the application. How a security expert will add value to the application, will be discussed in PART 2 of this article…

To Start with, let me tell you the standard that has been adopted by the security world.

The standards available are

1) OWASP top ten security vulnerabilities

2) CWE/SANS Top 25 software vulnerabilities

Since OWASP broadly covers the most of the aspects, I will be taking this as my verification standard.

For all the vulnerabilities covered, example code will be that of php language.

Lets dive in..

1) To call the executable c code from php using function calls like system or ~~.

2) To compile the c code and make it into a php extension. This way, he can call methods in the code and use its objects.

We found one tool which is helpful in developing these extensions. That is SWIG. SWIG is a compiler that takes C declarations and turns them into the “glue” needed to access them from common scripting languages including Perl, Python, and Tcl. SWIG usually requires no modifications to existing C code and can often be used to build a working interface in a matter of minutes.

http://www.swig.org/Doc1.1/HTML/Introduction.html#n1

Though this seems quite an interesting option, he was a little hesitant because he was not sure whether the c++ code would have been written in such a way to act as a stand alone library.

3) To turn over to python. I have heard that in python, one can include c++ code and get down to the nuts and grits of any API.

Though this was a mundane 5 minute conversation, I found that it offered enough scope to look into one weak-area of PHP. Does anyone have any expertise in such a area? Like accessing native API code from scripting languages?

Any thoughts, inputs are welcome.

But sadly, it doesn’t work for GMAIL smtp server, the reason being that GMAIL requires TLS or SSL to send mails.

I found a way to fix this problem.

Fix:

1) Just prefix your smtp hostname with a ssl://
In this case, your hostname will be ssl://smtp.gmail.com

$this->phpMail->Host = "ssl://smtp.gmail.com";
$this->phpMail->Port=465;

2) Comment out the following lines of code in class.phpmailer.php
/* if(strstr($hosts[$index], ":"))
list($host, $port) = explode(":", $hosts[$index]);
else */

I guess that would be from Line No: 537 – 539

Save the file and test it out.

I have followed a terminology here.
CMD – means command mode.
INS – means insert mode.
VIS – means visual mode.
LOC – means to be entered in .vimrc file

However, if there is some text contained in the textarea, IE positions the cursor at the end whereas safari positions the cursor at the beginning. After some frantic google searching, I found the below javascript would fix this discrepancy.

replybox=document.myform.reply;
replybox.focus(0);
if (replybox.setSelectionRange )
{
replybox.setSelectionRange(0,0);
}

This works fine in all the browsers. Let me know if this helped you.