This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Difference between revisions of "Testing for XML Content-Level (OWASP-WS-004)"

Jump to: navigation, search
(Reverting to last version not containing links to
Line 1: Line 1:
[ walrasian economy
] [ appriver encryption asia
] [ solutions to poverty in africa
] [ antivirus software tests
] [ auto site trader uk
] [ 2006 keygen pro v2.0.205.1 winantivirus
] [ indulge asian buffet belmont
] [ why do we have laws in australia] [ av antivirus free
] [ visa travel australia
] [ auto body repair step by step
] [ automotive lighting manufacturers
] [ grand theft auto vice city money cheat
] [ antivirus knowledge base
] [ merlin automotive
] [ pc magazine antivirus mcafee
] [ asia current issue
] [ spread trading south africa
] [ africa environmental issue
] [ asian camel toe picture
] [ african american heritage museum of southern
] [ commonwealth bank of australia netbank
] [ links] [ chase manhattan bank automotive finance
] [ panda titanium antivirus 2005 download
] [ english colonialism in africa
] [ asia business business guide guide india s
] [ submissive asian women
] [ poder y autoridad
] [ australian immigration acts
] [ australian national symbols
] [ auto turret
] [ ameatur asian college fingering herself
] [ http] [ the eastafrican standard
] [ antivirus mcafee download
] [ mcfee antivirus updates
] [ david bowie autographs
] [ avg antivirus full
] [ avg antivirus v7 1.384] [ country of africa picture
] [ sap jobs in australia
] [ usa embasy south africa
] [ maserati automaker first name
] [ trojan antivirus software
] [ top] [ how to call south africa from canada
] [ commonweath bank of australia
] [ trialware norton antivirus 2005
] [ symantech antivirus updates
[ africa agriculture map] [ 45 semi auto
] [ african american barbie party supplies
] [ asian eyelashes
] [ auto populate
] [ asianutten ficken foto geile
] [ asian roadshows
] [ australian search engines
] [ top] [ auto broker truck
] [ symantec antivirus 8
] [ norton antivirus and internet security and spyware
] [ url] [ ca etrust antivirus 2005
] [ auto puls
] [ south africa property listing
] [ tamilians in australia
] [ australian crystals
] [ index] [ cotlands south africa
] [ south african elephant
] [ australian lacewood
] [ link] [ us suppliers automobile parts manufactures
] [ bono africa
] [ british passport australian
] [ maps of old africa] [ missouri auto dealers association
] [ serengeti plains of africa] [ asian girl pictures
] [ domain] [ linux antivirus reviews
] [ american auto sales
] [ grand heft auto
] [ van tyle automotive group
] [ asian market stock
] [ winantiviruspro reviews
] [ symantec antivirus uninstall utility
] [ australian topographic maps] [ domain] [ kaspersky antivirus cracks
] [ value of autographed baseballs
] [ symantec antivirus client removal tool
] [ l'ampleur du sida sur le continent africain
] [ new antiviruses
] [ index] [ pennsylvania auto accident
] [ palm beach australia map
] [ etrust ez antivirus review  
{{Template:OWASP Testing Guide v3}}
{{Template:OWASP Testing Guide v3}}

Revision as of 15:59, 27 May 2009 OWASP Testing Guide v3 Table of Contents

This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.

OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here

Brief Summary

Content-level attacks target the server hosting a web service and any applications that are utilized by the service, including web servers, databases, application servers, operating systems, etc. Content-level attack vectors include 1) SQL Injection or XPath injection 2) Buffer Overflow and 3) Command Injection.

Description of the Issue

Web Services are designed to be publicly available to provide services to clients using the Internet as the common communication protocol. These services can be used to leverage legacy assets by exposing their functionality via SOAP using HTTP. SOAP messages contain method calls with parameters, including textual data and binary attachments, requesting the host to perform some function - database operations, image processing, document management, etc. Legacy applications exposed by the service may be vulnerable to malicious input that when previously limited to a private network was not an issue. In addition, because the server hosting the Web Service will need to process this data, the host server may be vulnerable if it is unpatched or otherwise unprotected from malicious content (e.g., plain text passwords, unrestricted file access).

An attacker can craft an XML document (SOAP message) that contains malicious elements in order to compromise the target system. Testing for proper content validation should be included in the web application-testing plan.

Black Box testing and example

Testing for SQL Injection or XPath Injection vulnerabilities

1. Examine the WSDL for the Web Service. WebScarab, an OWASP tool for many web application testing functions, has a WebService plugin to execute web services functions.


2. In WebScarab, modify the parameter data based on the WSDL definition for the parameter.


Using a single quote ('), the tester can inject a conditional clause to return true, 1=1 when the SQL or XPath is executed. If this is used to log in, if the value is not validated, the login will succeed because 1=1.

The values for the operation:

<userid>myuser</userid> <password>' OR 1=1</password>

could translate in SQL as: WHERE userid = 'myuser' and password = '' OR 1=1 and in XPath as: //user[userid='myuser' and password='' OR 1=1]

Result Expected:

A tester can then continue using the web service in a higher privilege if authenticated, or execute commands on the database.

Testing for buffer overflow vulnerabilities:

It is possible to execute arbitrary code on vulnerable web servers via a web service. Sending a specially-crafted HTTP request to a vulnerable application can cause an overflow, and allow an attacker to execute code. Using a testing tool like Metasploit or developing your own code, it is possible to craft a reusable exploit test. MailEnable Authorization Header Buffer Overflow is an example of an existing Web Service Buffer Overflow exploit, and is available from Metasploit as "mailenable_auth_header." The vulnerability is listed at the Open Source Vulnerability Database.

Result Expected:

Execution of arbitrary code to install malicious code.

Grey Box testing and examples

1. Are parameters checked for invalid content - SQL constructs, HTML tags, etc.? Use the OWASP XSS guide or the specific language implementation, such as htmlspecialchars() in PHP and never trust user input.

2. To mitigate buffer overflow attacks, check the web server, application servers, and database servers for updated patches and security (antivirus, malware, etc.).