[WEB SECURITY] Bypassing XML schema validation

Andrew van der Stock vanderaj at greebo.net
Fri Mar 31 19:59:43 EST 2006

There are several ways I am aware of. DTD / XSD validation is not  
particularly granular, and often it is not performed. Even worse,  
because it's a lot of work to create, most programs I've reviewed, if  
they have a DTD or XSD do not have a particularly robust set of  
validations - usually "this node is a string", which is insufficient.

For example, the devs designing the DTD / XSD might:

a) not include sufficient robust details of *how* the schema works,  
so you can add additional nodes, like this:

<attribute name="foo">real value</attribute>
<attribute name="foo">attack</attribute>

This worked for me with a custom system a week ago. "Attack" was  
selected due to the XML parser in use (YMMV as to *which* node will  
be selected in XPath queries).

b) not include sufficient validation, and you can use that to inject  
bad strings with impunity:

<attribute name="foo">javascript:alert(document.cookie)</attribute>

Again, this worked for me less than a week ago.

c) Validation is rarely turned on, and even it is ... how many times  
has the DTD not been available to the XML processor? Try looking at  
your DTD URL and see if you can download it. If not, it's highly  
likely that the XML processor cannot either, and most processors give  
up validation at that stage and let the data through. Only Biztalk  
seems to stop processing in my experience. All of them go slow.

No exploit necessary.

I'm sure others will have more, but this is more than enough to get  
you started.


On 01/04/2006, at 11:26 AM, Chris Weber wrote:

> I was wondering if anyone has found any ways to actually bypass a  
> schema
> without having to actually swapping it out?
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2234 bytes
Desc: not available
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20060401/5a33a72d/attachment.p7s>

More information about the websecurity mailing list