![Page 1: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/1.jpg)
XSLT Processing Security and Server Side Request Forgeries
OWASP Switzerland Meeting | 2015-06-17
Emanuel Duss, Roland Bischofberger
![Page 2: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/2.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 2
Who are we?
Students @ Hochschule für Technik Rapperswil (HSR)
Emanuel Duss
Roland Bischofberger
Seminar paper for Compass Security Schweiz AG
Topic: «XSLT Processing Security andServer Side Request Forgeries»
![Page 3: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/3.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 3
Table of contents
Introduction
Attacks
Mitigation
Demo
Conclusion
![Page 4: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/4.jpg)
Part 1: Introduction
![Page 5: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/5.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 5
Initial position
Attacks on XML are well known (XXE)
Attacks on XSLT less known
Vulnerabilities found by Nicolas Grégoire
Server Side Request Forgeries (SSRF) possible
Our work: Testing different XSLT processors on vulnerabilities
![Page 6: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/6.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 6
Basics XXE
XML External Entity (XXE)
![Page 7: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/7.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 7
Basics SSRF
Server Side Request Forgeries (SSRF)
![Page 8: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/8.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 8
Basics XSLT
Extensible Stylesheet Language (XSL) Transformation
XSLT processor converts XML file using a stylesheet into other formats
Wide spread processors: libxslt Saxon Xalan MSXML
HTML, XML, SVG, Text, PDF
XML XSL
![Page 9: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/9.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 9
Basics XSLT
XML
XSL
Output
![Page 10: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/10.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 10
Tested processors
XSLT 2.0
![Page 11: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/11.jpg)
Part 2: Attacks
![Page 12: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/12.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 12
Information exposure: System information
Goal: Read system information
Sample snippet:
Sample output:
![Page 13: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/13.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 13
Information exposure: System information
Test results
![Page 14: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/14.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 14
Read files: document() function
Goal: Read system files
Sample snippet
Only possible with well-formed XML files copy-of command outputs XML with the tags
Sample output:
libxslt delivers first line of non well-formed XML:
![Page 15: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/15.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 15
Read files: document() / unparsed-text()
Variations: Remote URIs → SSRF: HTTP, FTP, SMBFS/CIFS (file:////example.com/share) Bruteforce of FTP credentials Non well-formed XML: unparsed-text in XSLT 2.0
Test results:
![Page 16: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/16.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 16
Information exposure: Portscan
Goal: Portscan on third-system
Sample snippet:
Sample output (Saxon):
![Page 17: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/17.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 17
Information exposure: Portscan
Variations: unparsed-text in XSLT 2.0
Test results:
![Page 18: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/18.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 18
Read files: XXE in XSLT
Goal: Read local or remote files
Sample snippet
Sample output:
![Page 19: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/19.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 19
Read files: XXE in XSLT
Variations: Remote URIs → SSRF
Test results:
Only Perl and xsltproc, not in PHP and Python
![Page 20: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/20.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 20
Write files: XSLT 2.0
Goal: Write file to filesystem
Only XSLT 2.0 (Saxon)
Sample: xsl:result-document
Sample output No output if successful, otherwise error message
![Page 21: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/21.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 21
Write files: Xalan-J extension
Goal: Write file to filesystem
Extension of Xalan-J
Sample: redirect:write
Sample output: No output if successful, otherwise error message
![Page 22: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/22.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 22
Write files: EXSL
Goal: Write file to filesystem
EXSL: Community project of XSLT extensions
Some processors implement some extenstion
Exsl:document only implemented by libxslt
Sample: exsl:document
Sample output: No output if successful, otherwise error message
![Page 23: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/23.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 23
Write files: Saxon Extensions
Goal: Write file to filesystem
Extension of Saxon PE and EE; not included in HE
Sample: file:create-dir
Sample output: No output if successful, otherwise error message
Other functions included in this extension: file:append-text(), file:move(), file:copy(), file:delete(), file:exists(), file:is-file(), file:is-dir(), file:read(),
file:write()
![Page 24: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/24.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 24
Write files
Test results
![Page 25: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/25.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 25
Include external stylesheet: xsl:include
Goal: Include arbitrary XSL files
Sample snippet
cat external.xsl
Sample output
![Page 26: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/26.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 26
Include external stylesheet: xml:stylesheet
Goal: Include arbitrary XSL files
Sample snippet
cat file.xml
Sample output
![Page 27: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/27.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 27
Include External Stylesheet
Test results:
![Page 28: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/28.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 28
Database: Xalan extension
Goal: access to database
Sample snippet
Database driver must be included in $CLASSPATH
Sample output: content of DB
![Page 29: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/29.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 29
Database: Xalan extension
Test results By default not vulnerable, because database driver is not in $CLASSPATH
![Page 30: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/30.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 30
Code execution: php:function
Goal: Run code
Only libxslt in PHP
registerPHPFunctions() has to be called on instance of processor.
Beispiel Snippet
Processor waits for 10 seconds
![Page 31: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/31.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 31
Code execution: Xalan-J
Goal: Run code
Sample for Xalan-J
Beispiel Snippet
Processor waits for 5 seconds.
![Page 32: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/32.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 32
Code execution: Saxon EE
Goal: Run code
Sample for Saxon EE
Sample snippet
Runs ping –c 5 google.ch
![Page 33: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/33.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 33
Code execution: Saxon EE
Additional variantions C# code in MSXML 6 and .NET system.xml VBScript in MSXML 4 and 6 Java code with xalan:script in Xalan-J
Test results
![Page 34: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/34.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 34
Overview
![Page 35: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/35.jpg)
Part 3: Mitigation
![Page 36: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/36.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 36
Mitigation for libxslt
No mitigation system-property
Read files XSL_SECPREF_READ_FILE (xsltproc: no option available)
Read remote files, XXE, Include external stylehseets XSL_SECPREF_READ_NETWORK (xsltproc: --nonet)
Write files XSL_SECPREF_WRITE_FILE
![Page 37: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/37.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37
Mitigation for Saxon-HE and Saxon-EE
No mitigation system-property
Read files, Read remote files, Include external stylesheets Own class, which implements URIResolver interface Whitelist allowed files
Read remote files with unparsed-text() Own class, which implements Interface UnparsedTextURIResolver
XXE
Code execution, system-getProperty(), xsl:result-document, file:list, file:create-dir, ... setFeature: http://saxon.sf.net/feature/allowexternal-functions
![Page 38: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/38.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 38
Mitigation for Xalan-J
No mitigation system-property
Code execution, system.getProperty(), redirect:write, xalan:checkEnvironment()
Read files, Read remote files, Include external stylesheets Own class, which implements URIResolver interface Whitelist allowed files
XXE
![Page 39: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/39.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 39
Mitigation for Xalan-C
No mitigation System-property, Read remote files, Include external stylesheets
XXE Xerces XML parser:
Or in the Xalan XSLT processor Own EntityResolver, which returns empty Source.
![Page 40: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/40.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 40
MSXML 4.0
No mitigation system-property, msxml:version, Include external stylesheets
Read files, Read remote files
XXE
Code execution
![Page 41: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/41.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 41
MSXML 6.0 && .NET system.xml
No mitigation System-property, msxml:version
![Page 42: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/42.jpg)
Part 4: Demo
![Page 43: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/43.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 43
Overview
Goal: Find credit card number of Hubert Wühler in unfiltered secret.xml.
Well-known port 1
192.168.1.0/24
SSH for MGT
1 according to RFC 6335
![Page 44: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/44.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 44
Workflow
Analyse how reports are generated
Host enumeration to find dataserver
Portscan to find well-known port
Download secret.xml
![Page 45: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/45.jpg)
Part 5: Conclusion
![Page 46: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/46.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 46
Questions
Unicorns, Cats or Questions?
![Page 47: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/47.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 47
Links and additional informationen
SSRF vs. Business Critical Applications of Alexander Polyakov et. al. http://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-Businness-critical-applications-whitepaper.pdf http://media.blackhat.com/bh-us-12/Briefings/Polyakov/BH_US_12_Polyakov_SSRF_Business_Slides.pdf
Material of Nicolas Grégoire XSLT Wiki: http://xhe.myxwiki.org/xwiki/bin/view/XSLT/ Offensive XSLT: Hack In Paris 2011: https://www.youtube.com/watch?v=8YYa1CWI1AU Offensive XSLT Slides: https://prezi.com/y_fuybfudgnd/offensive-xslt
Google Appliance ProxyStyleSheet Command Execution CVE: 2005-3757: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-3757%2F Metasploit Modul of H.D. Moore: https://www.exploit-db.com/exploits/16907
![Page 48: XSLT Processing Security and Server Side Request Forgeries · 6/17/2015 · Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 37 Mitigation](https://reader035.vdocuments.us/reader035/viewer/2022070211/60fdcc580bed3603ee35cc4b/html5/thumbnails/48.jpg)
Emanuel Duss, Roland Bischofberger | XSLT & SSRF OWASP Switzerland Meeting | 2015-06-17 48
Contact and seminar paper
Emanuel Duss E-Mail: [email protected] (0x6E3FADB6) Twitter: @mindfuckup
Roland Bischofberger E-Mail: [email protected]
Seminar paper Description of XSLT, SSRF und XSLT Vulnerabilities All detailed test results and mitigations Download (German): http://eprints.hsr.ch/414