Vulnerability Testing in Web Applications External Entities XML

Aleksandr А. Osincev, Olga R. Laponina

Abstract


The paper considers the concept of external entities in the XML language, provides the most popular scenarios for executing attacks on web applications using external XML entities. A brief comparative review of dynamic testing tools for XXE-vulnerabilities has been performed. Described the process of deploying the stand for testing web applications for the presence of XXE vulnerability and implemented various testing scenarios both manually and using the OWASP ZAP scanner. There are also improvements to the OWASP ZAP software that were implemented during the course of the work. XXE testing was performed on two applications: OWASP Multillidae and XXELab. A module has been implemented that allows you to configure ZAP through the REST API, run the scanner to actively scan XXE vulnerabilities and get a report on the work. Vulnerability search automation is implemented using the REST API and Qt.


Full Text:

PDF (Russian)

References


XML 1.0. W3C Recommendation / https://www.w3.org/TR/REC-xml/

XML Schema, DTD and Entity Attack. A Compendium of Known Techniques Version 1.0 / Timothy D. Morgan, Omar Al Ibrahim – Virtual Security Research, LLC, 2014, p.36.

OWASP TOP 10 – 2017 rcl. The Ten Most Critical Web Application Security Risks / J. Williams, D. Wichers. – OWASP Foundation, 2017, p.23.

Testing Guide / M. Meucci, A. Muller. – OWASP Foundation, v4.0, 2014, p.384.

XML External Entity Attacks (XXE) / S. Herzog – OWASP Foundation, 2010, p.41.

B. Sullivan. Security Briefs - XML Denial of Service Attacks and Defenses / https://msdn.microsoft.com/en-us/magazine/ee335713.aspx

D. Wichers, X. Wang, J. Jardine, T. Hsu, D. Fleming. XML External Entity Prevention Cheat Sheet / https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md

Qt 5.3. Professional'noe programmirovanie na C++ / M. Shlee - BHV-Peterburg, 2015. – s. 928.


Refbacks

  • There are currently no refbacks.


Abava  Absolutech IT-EDU 2019

ISSN: 2307-8162