Lesson Plan Title: How to Perform XML Injection Attacks.

 

Concept / Topic To Teach:

This lesson teaches how to perform XML Injection attacks.

 

How the attacks works:   

AJAX applications use XML to exchange information with the server. This XML can be easily intercepted and altered by a malicious attacker.

 

General Goal(s):

WebGoat-Miles Reward Miles shows all the rewards available. Once you've entered your account ID, the lesson will show you your balance and the products you can afford. Your goal is to try to add more rewards to your allowed set of rewards. Your account ID is 836239.

 

Figure 1 AJAX Security - XML Injection

 

Solution:

 

To understand the behavior of the AJAX application, enter your account number 836239 and intercept the HTTP Request and HTTP Response using WebScarab.

 

Figure 2 Enter account number

 

Figure 3 Intercepted HTTP Request

 

Figure 4 Intercepted HTTP Response

 

From the HTTP Response you can see that you get back an XML message with the rewards for your account:

 

<root>

<reward>WebGoat t-shirt 20 Pts</reward>

<reward>WebGoat Secure Kettle 50 Pts</reward>

<reward>WebGoat Mug 30 Pts</reward>

</root>

 

What happens if you intercept this HTTP Response and update the XML message to become:

 

<root>

<reward>WebGoat t-shirt 20 Pts</reward>

<reward>WebGoat Secure Kettle 50 Pts</reward>

<reward>WebGoat Mug 30 Pts</reward>

<reward>WebGoat Core Duo Laptop 2000 Pts</reward>

<reward>WebGoat Hawaii Cruise 3000 Pts</reward>

</root>

 

Figure 5 Changed XML response

 

You need to do this three times!

 

Figure 6 Injected XML results

 

Figure 7 Select your reward

 

Select the Laptop and the Cruise and click "Submit".

 

Figure 8 Lesson completed