Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Source Systems
22
.lu software verification & validation V V S Known XML Vulnerabilities Are Still a Threat to Popular Parsers & Open Source Systems Sadeeq Jan, Cu D. Nguyen, Lionel Briand Interdisciplinary Centre for Security, Reliability and Trust (SnT) University of Luxembourg QRS 2015 The 2015 IEEE International Conference on Software Quality, Reliability & Security Vancouver, Canada, August 3-5, 2015
-
Upload
lionel-briand -
Category
Software
-
view
26 -
download
5
Transcript of Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Source Systems
.lusoftware verification & validationVVS
Known XML Vulnerabilities Are Still a Threat to Popular Parsers !
& Open Source Systems Sadeeq Jan, Cu D. Nguyen, Lionel Briand
Interdisciplinary Centre for Security, Reliability and Trust (SnT) University of Luxembourg
QRS 2015 The 2015 IEEE International Conference on Software Quality, Reliability & Security
Vancouver, Canada, August 3-5, 2015
Motivation
• Widespread use of XML
• De-facto standard for data exchange
• > 500 XML Vulnerabilities reported in National Vulnerability Database (NVD)
2
NVD Statistics (07/2015)
0
50
100
150
200
250
XML DoS(BIL)
XXE XML Parser Xml injection
No. o
f Vul
nera
bilit
ies
Background–XML Vulnerabilities
XML Bomb/Billion Laughs (BIL)
XML External Entity Exploitation (XXE)
3
XML Bomb/Billion Laughs (BIL) • DoS attack on XML parser
using well-formed XML
• Exponential entity expansion
<?xml version="1.0"?> <!DOCTYPE xmlBOMB [
<!ENTITY a “Random Text"> <!ENTITY b “&a; &a; &a; &a; &a;”> <!ENTITY c “&b; &b; &b; &b; &b;”> <!ENTITY d “&c; &c; &c; &c; &c;”>
]> <xmlBOMB>&d;</xmlBOMB>
• Impact – Higher memory & CPU
Consumption – DoS on parsing system
XML
4
XML External Entity (XXE) Vulnerabilities
• Attack on a weakly configured parser via XML input containing a reference to an external entity
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE myFile [ <!ELEMENT myFile ANY> <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]> <myFile>&xxe;</myFile>
• Impact – Disclosure of confidential Information – DoS on parsing system – Unauthorized access to system/data
5
Research Problem and Goals
• Research problem
• Insecure use and configuration of XML parsers
• Lack of adequate security testing of popular XML parsers and open source systems for XML related vulnerabilities
• Goals
• Security assessment of popular XML parsers and open source systems
• Raising awareness among software developers regarding these vulnerabilities
6
Contribution of This Work
• A large-scale systematic and rigorous experimental evaluation of BIL/XXE attacks
• in popular XML parsers and open source systems using those parsers
• Unbiased and extensive evidence of the lack of mitigation for these vulnerabilities
• To raise awareness among software developers 7
Research Questions
To which extent are BIL and XXE attacks successful in modern XML parsers?
Do software systems, which use one of the vulnerable parsers, apply mitigation techniques for BIL and XXE attacks?
8
RQ1
RQ2
Research Methodology
9
Observer XML
Parsers & Systems
Input Generator for BIL and XXE attacks
Malicious BIL & XXE
Files
Legit XML Files
• Memory consumption • CPU time • Response content
Experiment Setup-Subject Selection
10
XML Parsers Open Source Systems
Java, Python, PHP, C#, Perl Popular?
Popularity = no. of adoptions (> 0.5 Million in Github/Google Code)
13 XML Parsers
Those using a vulnerable parser (Java DOM)
749 Java Classes (628 Github projects)
8 Applications
RQ1 RQ2
Subject Selection
Experiment Setup—Inputs, Subjects and Oracle
Subjects
• Memory consumption • CPU time • Response content
Oracle/Indicators
• 10 XML bomb of size M x N for BIL category
• 3 XML files for XXE category
Test Inputs Parsers Open Source Systems
S.No Parser Name 1 JDOM2
2 NanoXML
3 NanoXML-LITE
4 Std-DOM
5 Std-SAX
6 Std-STAX
7 WOODSTOX
8 XERCES-JDOM
9 LXML-ETREE
10 Std-ETREE
11 PERL(XML:LibXML)
12 PHPDOM
13 MSXML
S.No Application
1 Websphere-portal-plugiin
2 File-Archiver-Main
3 AppDF
4 source2XMI
5 Jbm-to-hornetq
6 Fastcatsearch
7 Bimoku-Crawler
8 blog
749 Java Classes using Std-DOM Parser (from Github
projects)
Applications using XML parser
11
Results
12
13
8 7
Total #parsers #Vul. to BIL #Vul. to XXE
735 out of 749 (98.13%) Java classes from 628 GitHub projects that use Java DOM Parser are vulnerable.
Parsers More than half of the tested parsers are vulnerable to BIL and XXE.
Open Source Systems
All tested applications (8/8) are vulnerable.
13
<?xml version="1.0"?> <!DOCTYPE xmlBOMB [
<!ENTITY lol “lol"> <!ENTITY lol1 “&lol”; “&lol”; “&lol”; “&lol”; “&lol”;”> <!ENTITY lol2 “&lol1”; “&lol1”; “&lol1”; “&lol1”; “&lol1”;”> <!ENTITY lol3 “&lol2”; “&lol2”; “&lol2”; “&lol2”; “&lol2”;”> <!ENTITY lol4 “&lol3”; “&lol3”; “&lol3”; “&lol3”; “&lol3”;”> <!ENTITY lol5 “&lol4”; “&lol4”; “&lol4”; “&lol4”; “&lol4”;”> ]>
<lolz>&lol5;</lolz>
Input No. of Entities (M) = 5 No. of references per entity (N) = 5
Response of a non-vulnerable parser
Parser’s behavior to BIL attack
Response of a vulnerable parser
14
Input
Parser’s behavior to XXE attack
<?xml version="1.0”?> <!DOCTYPE myFile [ <!ELEMENT myFile ANY> <!ENTITY xxe SYSTEM ”C:\Data\fileContents.txt”>]> <foo>&xxe;</foo>
Response of a non-vulnerable parser
Response of a vulnerable parser
Test Oracles
15
XML File
Physical size
on disk
Test Oracle Result
Memory Consumption CPU Time Response Content
Legit < 10KB < 1MB < 1 sec Normal Non-vulnerable
Malicious < 1KB > 100 MB > 10 min Continued expanding entities
Vulnerable
Malicious < 1KB < 100 MB < 10 min Detected & stopped entity expansion
Non-vulnerable
XML File Physical size on disk
Test Oracle Result
Response Content Legit < 1KB No external contents Non-vulnerable
Malicious < 1KB Acquired external contents referred by the entity
Vulnerable
Malicious < 1KB Blocked access to external contents
Non-vulnerable
For BIL Category:
For XXE Category:
Memory Consumption Analysis
16
Parsing BIL XML files of different sizes (M x N) - M is the number entities - N is the number of references per entity)
CPU Time Analysis
17
Parsing BIL XML files of different sizes (M x N) - M is the number entities - N is the number of references per entity)
Results-details Parser Name BIL Vulnerable? XXE Vulnerable?
JDOM2 Yes Yes NanoXML Yes Yes
NanoXML-LITE No No Std-DOM Yes Yes Std-SAX Yes Yes Std-STAX No No
WOODSTOX No No XERCES-JDOM Yes Yes LXML-ETREE No No Std-ETREE Yes No
PERL(XML:LibXML) Yes Yes PHPDOM No No MSXML Yes Yes
Total 8 7
18
Parser Name BIL Vulnerable?
XXE Vulnerable?
Websphere-portal-plugiin
Yes Yes File-‐Archiver-‐Main Yes Yes
AppDF Yes Yes source2XMI Yes Yes
Jbm-to-hornetq Yes Yes Bimoku-Crawler Yes Yes
blog Yes Yes Fastcatsearch Yes Yes
Applications using Vulnerable parser
Parsers
Results-details
19
Sample of 100 open sources projects from 1000 selected in our study.
All of the these projects use the vulnerable parser (Std-DOM) without disabling the features leading to XML BIL/XXE attacks.
Research Questions-Answers
BIL and XXE vulnerabilities are present in modern XML parsers. Among the selected ones, more than a half are vulnerable.
20
Systems that adopt a BIL or XXE-vulnerable XML parser do not apply any proper security measure, hence, and are vulnerable.
RQ1: To which extent are BIL and XXE attacks successful in modern XML parsers?
RQ2: Do software systems, which use one of the vulnerable parsers, apply mitigation techniques for BIL and XXE attacks?
Recommendations
• Software developers
• Be aware of security issues in parsers
• Correctly set parsers’ configuration and disable unused features
• For example, block/limit external entities
• Parser developers
• Secure default configurations, better documentation
• Adequate security testing 21
Summary
