XML is Evil - OWASP Manchester May 2019

•

0 recomendaciones•334 vistas

Slides from OWASP Manchester May 2019. A brief description of security vulnerabilities caused by insecure or out-of-date XML implementations for Java Services, and what your business can do to mitigate against them.

Tecnología

Gerald Benischke
Software Engineer
XML is Evil

Making Software. Better.
Simple solutions to big business problems.
Equal Experts is a network of talented, experienced, software
consultants, specialising in agile delivery.

The network
I’m part of the Equal Experts network,
a community of highly-experienced
software professionals.
At Equal Experts we’re given the
freedom to get on with what’s
important - delivering better software
for our clients’ customers.

XML is evil!
! Services not maintained as much as they ought to
! Services contain vulnerabilities
! Services that are public facing
! Information Disclosure
! Server Side Request Forgery
! Denial of Service

Real World Example - Reauthentication
App
Reauthe
ntication
Login
POST
back
App

Billion Laughs - Risks
! DoS without DDoS
! Only a few requests can cause CPU spikes
! With Auto Scaling Groups this could be expensive

Billion Laughs - Mitigation
! Upgrade to OpenSAML 3.3
! Unfortunately, as the API for OpenSAML changed
significantly, that wasn't just a matter of changing
dependencies but rewriting the SAML generation code
from scratch.
! Dependency Scanning

Hiding XXE in Spreadsheets
! XXE = XML eXternal Entity injection
! User-provided XML with external reference

Real World Example - Hiding XXE in Spreadsheets
App
Upload
ODS
Parse
Create
XML
Backend

Hiding XXE in Spreadsheets - Risks
! Steal your AWS
Keys - Keys to the
Kingdom
! Call internal APIs
! Turn you into a
Monero miner

Xerces Hash Collisions
! By uploading as few as 5 files with a size of 2MB each
simultaneously, I was able to cause a CPU load of 100%
for up to about a minute.
! Sustain this enough and it might cause a rather
inconvenient Denial of Service probably without being
caught by the traditional DDoS protections...

Xerces Hash Collisions - Risks
! DoS without DDoS
! Only a few requests can cause CPU spikes
! With Auto Scaling Groups this could be expensive
! You might be vulnerable without knowing
! Play 2.5 uses Xerces 2.11.0

Xerces Hash Collisions - Mitigations
! Upgrade Xerces (>=2.12.0)
! Dependency Scanning
! Do not trust requests

Security
! Know your inputs
! Know your dependencies
! Know about vulnerabilities
! XML can be a minefield

QUESTIONS?
https://www.equalexperts.com/services/security/

Thank You
United Kingdom
+44 203 603 7830
helloUK@equalexperts.com
Equal Experts UK Ltd
30 Brock Street
London NW1 3FG
India
+91 20 6607 7763
helloIndia@equalexperts.com
Equal Experts India Private Ltd
Office No. 4-C
Cerebrum IT Park No. B3
Kumar City, Kalyani Nagar
Pune, 411006
Canada
+1 403 775 4861
helloCanada@equalexperts.com
Equal Experts Devices Inc
205 - 279 Midpark way S.E. 
T2X 1M2 
Calgary, Alberta

Portugal
+351 211 378 414
helloPortugal@equalexperts.com
Equal Experts Portugal 
Avenida Dom João II, Nº35
Edificio Infante 11ºA
1990-083 Parque das Nações 
Lisboa – Portugal
Thank You
USA
 
+1 866-943-9737
helloUSA@equalexperts.com
Equal Experts Inc
1460 Broadway
New York
NY 10036

LinkedIn
linkedin.com/company/equal-experts
Twitter
@EqualExperts
Web
www.equalexperts.com

Más contenido relacionado

Similar a XML is Evil - OWASP Manchester May 2019

Web Application Security

MarketingArrowECS_CZ

Presented at All Things Open RTP Meetup Presented by Jarred Overson, CTO at Candle Title: WebAssembly & Zero Trust for Code Abstract: Zero Trust eliminated the notion that users, devices, or service could be inherently trusted within your company's network. Yet for some reason we default to trusting the dozens to even thousands of dependencies we import into our applications. These dependencies adopt the same privileges and access as the parent application and are prime targets for attackers. Malicious actors repeatedly seek and take over popular dependencies to gain a foothold into companies. This is not fear mongering, this is happening today. Millions of people – including our speaker – have unknowingly downloaded and run malicious code as part of their normal developer activities. This is a difficult problem without obvious solutions. WebAssembly gives us a new way of thinking about it. In this talk, Jarrod Overson illustrates how WebAssembly changes the game and can make our applications more secure while improving performance, reusability, and maintainability both on and off the browser.

WebAssembly & Zero Trust for Code

All Things Open

Virtualization is here to stay. Between the many competing technologies (VMWare, Xen, Oracle VM, Cloud Computing, etc) and the proven benefits (cost reductions, improved management, DR and HA) – virtualization is on the "Must Do" list for most IT organizations. However, questions remain. How does this affect my OTM deployment? Will it run? Will performance be affected? Will it be supported? Which technologies are best to base my architecture on? What pitfalls are out there that I can avoid? What are the best practices for deployment? These and many other questions will be covered as Chris Plough shares many of the lessons learned while testing and deploying OTM with multiple clients and within MavenWire's Hosting Architecture. Presented by Chris Plough at MavenWire.

Virtualizing OTM - Real World Experiences and Pitfalls

MavenWire

Open Source Security

Sander Temme

ESXpert strategies VMware vSphere

Concentrated Technology

Website hacking and prevention (All Tools,Topics & Technique )

Jay Nagar

Java was built from the ground up with security clearly in mind and is now the engine powering a huge number of business-critical systems. With this visibility and opportunity come attacks, and this session goes through the state of security in Java in 2013 and discusses some of the attack vectors. It presents a couple of real-world examples and also addresses the real-world challenges in getting security fixes out quickly. Finally, it touches on hardware cryptography. Come learn more about the reality of security today and take away a better awareness of exactly how Java helps protect you.

Security in the Real World - JavaOne 2013

MattKilner

Enterprise software teams are starting to understand and embrace the power of Node.js. They face a serious challenge: integrating Node.js into the legacy systems they maintain, and migrating these system over time into Node.js architectures. This talk is a pathfinder for those facing this task. As a community we must proactively engage with the Java and .Net communities, and create a deeper understanding of the "Node.js Way".

Richardrodger nodeday-2014-final

Richard Rodger

This talk is an appeal to server-side JavaScript developers to make use of this time of change - Node.js is going to become the primary server-side platform for most developers. We can move forward from the old way of building web apps as large inter-locking co-dependent code bases. The Node.js module system has shown us the way. It's the first step. Now, we need to use the beauty of Node modules to help us build robust, scalable apps. This approach is called the Micro-Services Architecture. It's more than just having some services with HTTP end-points. It's about taking this to the extreme. Everything is a service, and no service is larger than 100 lines of code. We've been using this approach for most of our projects for the last 18 months and it works really well. We get to drop loads of project management ceremony. There will be some customer war stories.

Richardrodger nodeday-2014-final

Richard Rodger

Web security-–-everything-we-know-is-wrong-eoin-keary

drewz lin

The Enemy On The Web

Bishan Singh

Analysis of web application worms and viruses

UltraUploader

Cloud computing revolutionized application design, and changed the way people think about infrastructure. The rise of cloud computing coincided with a new generation of applications and services that required scale. New architecture and design had to take into account low latency network connectivity, geographic distribution, large real-time data stores, the ability to meet demand (while not knowing exactly how much demand to handle), and so much more. We refer to this as Internet Scale. Yet most discussion of scale and cloud revolves around compute as virtualized instances, which have defined configurations and constrained options. Delivering on the promise of Internet Scale involves substantial upfront design, and a comprehensive understanding of the entire architecture - from the underlying hardware, to the operating system, the application stack, services, and deployment. And, it involves choice - choices you should make based on your requirements. Join us for a discussion on the many facets of Internet Scale, and how it can apply to your applications and services.

Internet Scale Architecture

RightScale

What is-flame-miniflame

Venafi

Is the Web at Risk?

Carlos Serrao

Virtualization Techniques & Cloud Compting

Ahmed Mekkawy

Pentesting With Web Services in 2012

Ishan Girdhar

AWS vs. Azure

Rob Gillen

External XML Entities

William McKelphin

Decoupled cms sunshinephp 2014

Lukas Smith

Similar a XML is Evil - OWASP Manchester May 2019 (20)

Web Application Security

WebAssembly & Zero Trust for Code

Virtualizing OTM - Real World Experiences and Pitfalls

Open Source Security

ESXpert strategies VMware vSphere

Website hacking and prevention (All Tools,Topics & Technique )

Security in the Real World - JavaOne 2013

Richardrodger nodeday-2014-final

Web security-–-everything-we-know-is-wrong-eoin-keary

The Enemy On The Web

Analysis of web application worms and viruses

Internet Scale Architecture

What is-flame-miniflame

Is the Web at Risk?

Virtualization Techniques & Cloud Compting

Pentesting With Web Services in 2012

AWS vs. Azure

External XML Entities

Decoupled cms sunshinephp 2014

Último

In the thrilling conclusion to 2023, ransomware groups had a banner year, really outdoing themselves in the "make everyone's life miserable" department. LockBit 3.0 took gold in the hacking olympics, followed by the plucky upstarts Clop and ALPHV/BlackCat. Apparently, 48% of organizations were feeling left out and decided to get in on the cyber attack action. Business services won the "most likely to get digitally mugged" award, with education and retail nipping at their heels. Hackers expanded their repertoire beyond boring old encryption to the much more exciting world of extortion. The US, UK and Canada took top honors in the "countries most likely to pay up" category. Bitcoins were the currency of choice for discerning hackers, because who doesn't love untraceable money?

Ransomware_Q4_2023. The report. [EN].pdf

Overkill Security

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

ICT role in 21st century education and its challenges

rafiqahmad00786416

Modernizing Securities Finance: The cloud-native prime brokerage platform transforming capital markets. Madhu Subbu, Managing Director, Head of Securities Finance Engineering Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu

apidays

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the deployment of external web forms using Jotform for Bonterra Impact Management. This solution can be customized to your organization’s needs and deployed to support the common use cases below: - Intake and consent - Assessments - Surveys - Applications - Program registration Interested in deploying web form automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Jeffrey Haguewood

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

Accelerating FinTech Innovation: Unleashing API Economy and GenAI Vasa Krishnan, Chief Technology Officer - FinResults Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

apidays

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Zilliz

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

DBX First Quarter 2024 Investor Presentation

Dropbox

Real Time Object Detection Using Open CV

Khem

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

XML is Evil - OWASP Manchester May 2019

1. Gerald Benischke Software Engineer XML is Evil

2. Making Software. Better. Simple solutions to big business problems. Equal Experts is a network of talented, experienced, software consultants, specialising in agile delivery.

3. The network I’m part of the Equal Experts network, a community of highly-experienced software professionals. At Equal Experts we’re given the freedom to get on with what’s important - delivering better software for our clients’ customers.

4. XML is evil! ! Services not maintained as much as they ought to ! Services contain vulnerabilities ! Services that are public facing ! Information Disclosure ! Server Side Request Forgery ! Denial of Service

5. Billion Laughs

6. Real World Example - Reauthentication App Reauthe ntication Login POST back App

7. Billion Laughs - Real World Example

8. Dependency Checking

9. Billion Laughs - The Attack

10. Billion Laughs - Real World Example

11. Billion Laughs - Risks ! DoS without DDoS ! Only a few requests can cause CPU spikes ! With Auto Scaling Groups this could be expensive

12. Billion Laughs - Mitigation ! Upgrade to OpenSAML 3.3 ! Unfortunately, as the API for OpenSAML changed significantly, that wasn't just a matter of changing dependencies but rewriting the SAML generation code from scratch. ! Dependency Scanning

13. Hiding XXE in Spreadsheets

14. Hiding XXE in Spreadsheets ! XXE = XML eXternal Entity injection ! User-provided XML with external reference

15. Real World Example - Hiding XXE in Spreadsheets App Upload ODS Parse Create XML Backend

16. Hiding XXE - Real World Example

17. Hiding XXE in Spreadsheets - Risks ! Steal your AWS Keys - Keys to the Kingdom ! Call internal APIs ! Turn you into a Monero miner

18. Hiding XXE in Spreadsheets - Mitigation

19. Xerces Hash Collisions

20. Xerces Hash Collisions

21. Xerces Hash Collisions

22. Xerces Hash Collisions

23. Xerces Hash Collisions ! By uploading as few as 5 files with a size of 2MB each simultaneously, I was able to cause a CPU load of 100% for up to about a minute. ! Sustain this enough and it might cause a rather inconvenient Denial of Service probably without being caught by the traditional DDoS protections...

24. Hiding XXE in Spreadsheets

25. Xerces Hash Collisions - Risks ! DoS without DDoS ! Only a few requests can cause CPU spikes ! With Auto Scaling Groups this could be expensive ! You might be vulnerable without knowing ! Play 2.5 uses Xerces 2.11.0

26. Xerces Hash Collisions - Mitigations ! Upgrade Xerces (>=2.12.0) ! Dependency Scanning ! Do not trust requests

27. Summary

28. Security ! Know your inputs ! Know your dependencies ! Know about vulnerabilities ! XML can be a minefield

29. QUESTIONS? https://www.equalexperts.com/services/security/

30. Thank You United Kingdom +44 203 603 7830 helloUK@equalexperts.com Equal Experts UK Ltd 30 Brock Street London NW1 3FG India +91 20 6607 7763 helloIndia@equalexperts.com Equal Experts India Private Ltd Office No. 4-C Cerebrum IT Park No. B3 Kumar City, Kalyani Nagar Pune, 411006 Canada +1 403 775 4861 helloCanada@equalexperts.com Equal Experts Devices Inc 205 - 279 Midpark way S.E.  T2X 1M2  Calgary, Alberta Portugal +351 211 378 414 helloPortugal@equalexperts.com Equal Experts Portugal  Avenida Dom João II, Nº35 Edificio Infante 11ºA 1990-083 Parque das Nações  Lisboa – Portugal Thank You USA   +1 866-943-9737 helloUSA@equalexperts.com Equal Experts Inc 1460 Broadway New York NY 10036 LinkedIn linkedin.com/company/equal-experts Twitter @EqualExperts Web www.equalexperts.com

XML is Evil - OWASP Manchester May 2019

Recomendados

Recomendados

Más contenido relacionado

Similar a XML is Evil - OWASP Manchester May 2019

Similar a XML is Evil - OWASP Manchester May 2019 (20)

Último

Último (20)

XML is Evil - OWASP Manchester May 2019