OWASP

Course
Time
4 hours 32 minutes
Difficulty
Beginner
CEU/CPE
5

Video Transcription

00:01
Hey, everyone, welcome back to the course. So in the last video, we wrapped up our lab on sensitive data exposure
00:06
in this video, where to talk about XML, external entities or more commonly, called X x e.
00:13
So, a quick pre assessment question here, David is a penetration tester for acne incorporating. And he wants to recommend ways to prevent against XXI attacks to his client.
00:23
Which of the following is not a recommendation that he should provide to the client?
00:30
All right, so if he answered d allow XML file upload, You are correct. We'll talk about that in a little bit, using Jason White listing and disabling d t d. Which again will talk about as well. All of those are ways that we can potentially prevent against *** e attacks.
00:45
So are learning objectives. As usual, we're gonna be talking about the risk rating for *** E will also talk about you know what is XXI? What does that actually mean? We'll talk about ways to check as well as wasted, mitigate or prevent against.
00:59
So what rating scale Here again, red is a bad things there. So we see. Ah, that is pretty easy to some extent to discover
01:07
this vulnerability for for an attacker. Also, it's got a potentially significant
01:11
technical impact in mostly in the aspect of it could, you know, execute remote code or something like that.
01:19
So what is XXI? So what occurs here is that a lot of times like older XML processors or, you know, even ones that are someone newer, but they're poorly configured. They allow the evaluation of external entity references so basically allow external entities
01:37
excellent references. So that way they can, you know, basically go out and pull information in,
01:42
Um, just to some extent, I guess, I guess I would say it's kind of like it's not really like, but it's kind of like if you're familiar with, like, Web design and in my code, I put a link to, you know, like a photo that's hosted, You know, let's just say on Google or something, so I'm kind of winking out to that. So
01:59
not really I don't want to use at his example in the aspect of it's a similar process
02:02
because it's not. But just think of that, like reaching out and kind of pulling in. That's what we're talking about here.
02:10
So
02:12
with that, you know. So these external entities, you know, attacker could use that to disclose, like, internal files. You know, they can also, you know, end up doing things like internal port scanning, accessing internal file shares. You know, again, I mentioned remote code execution and even performing like denial of service attacks is well,
02:31
prevalence again is probably primarily for, like, older XML processors, you know. And I also mentioned some Miss configurations, but primarily it's it's seen with old XML processors, and it's actually pretty common thing across those s O. It's not something that is
02:51
tested a whole lot. So, like, for example, if you're trying to do like manual testing for it, you have to be specifically trained with that, you know? So if you're using, like, a dass tool or something, that those require additional manual steps. So, uh,
03:04
as of like 2017 when a loss came out this list, it wasn't tested frequently on Emanuel Aspect.
03:12
So how do we check for this? So
03:14
a couple ways, you know, does your application allow for XML or XML uploads directly? That's not a good thing that I shouldn't do that, Uh, d T d T d s. Excuse me? Are those enables? So that's it stands for document type definitions. Basically, those defined the document structure and they valuably validate the attributes in the document.
03:35
Does you know, Are you using, like, an older version of soap? You know, star using something specifically ah, version prior to, like, one point to, uh and then,
03:44
you know, are you are we able to ski? You know, basically, we could scan with the SAS tool, which is a an automated tool. So it stands for static applications security testing, so we could use that tool to potentially check for this particular vulnerability.
03:58
And what that does specifically the South tools is they're gonna inspect dependencies and also the configuration of the code. And that way we can again take a look and see if this particular XML processor is vulnerable to this attack.
04:13
So the impact, you know, what is the impact? Well,
04:15
we kind of talked about, you know, the attacker accessing data right in performing a denial of service attack. Also, they can extract data, they can perform the internal report scanning as we mentioned, and then they can also you know, execute remote request from the server.
04:30
So how do we prevent against it? Well, we can use, you know, using less complex data format. So Jason is, you know, popular one. Avoid serialization patching, you know, So obviously making sure our soak version is up to date or whatever other self we're using
04:47
disabled the d t d processing again, the stance for document type definitions,
04:51
white listing service, side input. And then, of course, you know, again scanning with sass tools, we can potentially find vulnerabilities and get it fixed in advance of an attacker exploiting it.
05:03
So just a quick post assessment question here. These tools can discover *** yvonne abilities by inspecting dependencies and configuration without needing additional manual steps. So which one of those on this list would be the correct answer?
05:18
All rights. If you guessed answers, See, that is correct. Now, we talked about again that sass tools are gonna be inspecting dependencies and configuration gas tools again require manual manual importer manual steps to actually allow you to detect XXII.
05:33
Bird sweet is actually for a Web vulnerabilities. So it could potentially it, uh,
05:39
potentially find out *** ease. But But it's not normally used for that normally feel like cross that scripting or sequel injection vulnerabilities. That's normally what we would kind of use birth suite for on then f t k or Ah, that's basically a forensic tool. S o F T k imager. We would use that in forensics, too, you know,
05:57
taking dimension than analyzing data,
05:59
often machines. So nothing we're talking about in this old last course signed note or side plug, if you will. I do have a forensic course on the web sites. If you are interested in forensics, if you gotta looks all excited when I talked about FT. FT K immature, then by all means, check out that course and you can take a look in a deeper dive into digital forensics.
06:17
All right, so in this video, we talked about XML external entities at a very, very high level. I want to stress again that all these modules were hitting at a very high level. Since this is intended as a introductory type, of course on then, the next video, we're gonna actually do a lab with *** E. And then from there we'll move in too much of six. Where we talk about broken access control

Up Next

OWASP

Established in 2001, the Open Web Application Security Project (OWASP) offers free security tools and resources to help organizations protect critical apps. Cybrary’s OWASP training course covers the organization’s popular “Top 10” risk assessment.

Instructed By

Instructor Profile Image
Ken Underhill
Master Instructor at Cybrary
Master Instructor