What You Didn't Know About XML External Entities Attacks
What You Didn't Know About XML External Entities Attacks
Wednesday, November 20 • 2:00 pm - 2:50 pm
The eXtensible Markup Language (XML) is an extremely pervasive technology used in countless software projects. Certain features built into the design of XML, namely inline schemas and document type definitions (DTDs) are a well-known source of potential security problems. Despite being a publicly discussed for more than a decade, a significant percentage of software using XML remains vulnerable to malicious schemas and DTDs. This talk will describe a collection of techniques for exploiting XML external entities (XXE) vulnerabilities, some of which we believe are novel. These techniques can allow for more convenient file content theft, sending of arbitrary data to arbitrary internal TCP services, uploads of arbitrary files to known locations on a vulnerable system, as well as several possible denial of service attacks. We hope this talk will raise awareness about the overall risk associated with XXE attacks and will provide recommendations that developers and XML library implementors can use to help prevent these attacks.
Speaker:
Timothy Morgan
Tim is credited with the discovery and responsible disclosure of several security vulnerabilities in commercial off-the-shelf and open source software including: IBM Tivoli Access Manager, Real Networks Real Player, Sun Java Runtime Environment, Google Chrome Web Browser, OpenOffice, and Oracle WebLogic Application Server. Tim develops and maintains several open source forensics tools as well as Bletchley, an application cryptanalysis tool kit.
Tim presented a training course on application cryptanalysis at AppSecUSA 2012. He regularly gives technical talks on a variety of security topics to local special interest groups and at private training sessions.
As an application security specialist and researcher, Tim has been taking deep technical dives in security for over a decade. With extensive experience in the areas of network security, secure programming, and incident response, Tim works to secure his customers' environments through application penetration testing, training, and forensics investigations. His past security research has culminated in the release of several responsibly disclosed vulnerabilities in popular software products. Tim develops and maintains several open source digital forensics tools as well as Bletchley, an applied cryptanalysis toolkit.