Web Application Security
Re: Testing Webservices ASMX Aug 03 2012 02:02PM
Arvind (arvind doraiswamy gmail com)
Thnx Kevin...I didn't ..no. Largely I kind of ran out of time. So when
I saw that I could not break out of the XML tags, I kind of gave up on
it. Are you saying though, even though you can't break out of tags, by
say closing them, you can still inject data using that string you
mentioned? How does it work? Is there a good read you could point me
to, by any chance?

Another thing that I forgot to mention (rather inexcusably) was that
I seemed to be able to close elements. So for example: If the tree was
like this:

<root><a1><a2>arvind</a2></a1></root>

....and 'arvind' was user controlled...I could do something like
arvind</a2></a1></root><xml script=blah blah..... ....

This seemed to give me hope; as in, I'd get an error message saying
stuff like this here - http://postimage.org/image/o8vb2m9k9/ . This
made me think that I was on track; but the fact that my tags kept
getting encoded put me off after a while.

Arvind

On Fri, Aug 3, 2012 at 7:19 PM, Wall, Kevin <Kevin.Wall (at) centurylink (dot) com [email concealed]> wrote:
> Arvind,
>
> Just wondering... did you try injecting via non-parsed data, as in
>
> <![CDATA[ evil_payload_here ]]>
>
> That will work a lot of times if all the web service is relying on
> for data validation is XML schema validation (which is rather common).
>
> That allows you to inject a payload of whatever you want wherever you
> want if all they are doing is schema validation.
>
> -kevin

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus