Re: Security Testing of System containing XML files communicating via HTTP (106 Views)
Reply
Occasional Contributor
AMahmood
Posts: 6
Registered: ‎06-27-2012
Message 1 of 2 (124 Views)

Security Testing of System containing XML files communicating via HTTP

Hello,

 

I just been assign to explore WebInspect tool to do Security Testing of system which comprises of XML files to send/receive over HTTP. Is it possible to do so?

 

As I am just a new for this tool so I need you guys to explain in some details (i.e... Steps) that how could I do this task? I have 9.20 version.

 

If WebInspect is not the right option, then please suggest me the tool which can be useful to perform security testing of such system.

 

Thanks,

 

Aqeel Mahmood

Please use plain text.
Occasional Collector
JerrySullivan
Posts: 1
Registered: ‎01-03-2013
Message 2 of 2 (106 Views)

Re: Security Testing of System containing XML files communicating via HTTP

Hello,

 

Webinspect will attack any XML or JSON (JavaScript Object Notation) payload in HTTP requests found during attack surface discovery (the automatic crawl, workflow, manual crawl, etc.) when the payload is found in:

 

1. XML or JSON is query parameter value,
2. XML or JSON is post parameter value,
3. XML or JSON is body of POST or,
4. SOAP requests

 

When an XML or JSON payload is attacked, each data value is attacked.

 

When a SOAP payload is attacked, each SOAP method parameter is attacked.

 

This behavior is the default behavior in 9.2 and later releases so no configuration is required. The XML and JSON payloads will be attacked if they are found in the attack surface.

 

For example, if the following request with XML body is found in the attack surface:

 

POST /api/RPC2 HTTP/1.1
Host: plant.blogger.com
Content-Type: text/xml
<?xml version='1.0'?>
<methodCall attrib='a'>
<methodName>blogger.newPost</methodName>
<params>
<param1>
<value>
<string>APP_KEY</string>
</value>
</param1>
<param2>
<value>
<string>BLOG_ID</string>
</value>
</param2>
<param3>
<value>
<string>USERNAME</string>
</value>
</param3>
<param4>
<value>
<string>PASSWORD</string>
</value>
</param4>
<param5>
<value>
<string>ENTRY_TEXT</string>
</value>
</param5>
<param6>
<value>
<boolean>PUBLISH</boolean>
</value>
</param6>
</params>
</methodCall>

 

The parameters with the following XPATHs are attacked:

 

"/methodCall/@attrib"
"/methodCall/methodName"
"/methodCall/params/param1/value/string"
"/methodCall/params/param1/value"
"/methodCall/params/param1"
"/methodCall/params/param2/value/string"
"/methodCall/params/param2/value"
"/methodCall/params/param2"
"/methodCall/params/param3/value/string"
"/methodCall/params/param3/value"
"/methodCall/params/param3"
"/methodCall/params/param4/value/string"
"/methodCall/params/param4/value"
"/methodCall/params/param4"
"/methodCall/params/param5/value/string"
"/methodCall/params/param5/value"
"/methodCall/params/param5"
"/methodCall/params/param6/value/boolean"
"/methodCall/params/param6/value'
"/methodCall/params/param6"
"/methodCall/params"

 

Similarly, if the following request with JSON body is found in the attack surface:

 

POST /api/RPC2 HTTP/1.1
Host: plant.blogger.com
Content-Type: application/json

{
"params":[{
"sid":"090ab87de72571d978186cfddb390001",
"ticket_id":"",
"subject":"this is the subject",
"body":"this is the body\r\nblah blah\r\n&nbsp;",
"body_html":"<P><FONT face=Arial size=1></FONT>this is the body</P>\r\n<P>blah blah</P>\r\n<P><BR>&nbsp;</P>",
"to":"spiascuser@gmail.com",
"priority":50,
"custom":{
"Field 1":"v1",
"Field 2":1.2,
"F3":[999,"zzz"]}}],
"method":"replyMail",
"push":[1,2,3],
"pop":["a","b",[{"x":"1"},5,6]]
}

 

The parameters with the following JPATHs are attacked:

 

"$.params"
"$.params[0].sid"
"$.params[0].ticket_id"
"$.params[0].subject"
"$.params[0].body"
"$.params[0].body_html"
"$.params[0].to"
"$.params[0].priority"
"$.params[0].custom"
"$.params[0].custom.Field 1"
"$.params[0].custom.Field 2"
"$.params[0].custom.F3"
"$.params[0].custom.F3[0]"
"$.params[0].custom.F3[1]"
"$.method"
"$.push"
"$.push[0]"
"$.push[1]"
"$.push[2]"
"$.pop"
"$.pop[0]"
"$.pop[1]"
"$.pop[2][0].x"
"$.pop[2][1]"
"$.pop[2][2]"

 

These examples show the data payload as the body of a HTTP POST request. The data payload would also be attacked in the same way if it was the value of a HTTP post or query parameter.

 

I hope this answers your questsion.

 

Jerry Sullivan

Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation