The MS-ISAC shares that its top 10 malware lineup for May 2022 remained consistent with the exception of Jupyter’s return.

Read More

XML External Entity (XXE) flaws present unique mitigation challenges and remain a common attack path. Learn how XXE flaws arise, why some common attack paths are so challenging to mitigate and how Tenable.io Web Application Scanning can help.

Modern applications have more and more tendencies to process data from user-supplied inputs, directly or indirectly. A side effect of this data processing opens the door for attackers to exploit XML External Entity, a complex vulnerability with many vectors.

An XXE is a web vulnerability that allows an attacker to interfere with a feature that performs XML processing. If exploited, it would allow an attacker to read files on the system and to interact with other systems with which the application itself can interact. An XXE attack can have devastating effects and is often considered critical.

Although XXE was ranked No. 4 in the 2017 OWASP Top 10 — and even had a category named after it — this vulnerability has lost some of its relevance in the intervening years as the libraries used to parse XML have become increasingly robust. The 2021 OWASP TOP 10 placed XXE at No. 5, however it is no longer a standalone category, as it was merged with the “Security Misconfiguration” category. This fusion of categories on the OWASP list reflects how an increasing reliance on third-party libraries and software to perform processing — and the lax configuration of these libraries — has become a leading cause of XXE vulnerabilities.

What is XXE?

XXE is a vulnerability that allows an attacker to abuse an application’s XML parser by sending a malicious document or by modifying a request that already contains XML.

XXE vulnerabilities are most commonly used to read files on a system. However, this vulnerability can also be exploited for Denial Of Services (DoS) or Server Side Request Forgery (SSRF) attacks.

An XXE can be used by an attacker to retrieve resources, such as configuration files containing credentials and other secrets, or to access internal services that may be sensitive. The exploitation of this vulnerability can therefore allow an attacker to pivot from XXE to SSRF.

Before understanding how to detect an XXE, it is important to understand the syntax of an XML envelope.

The XML envelope represents the payload sent. At the beginning of this envelope is the DOCTYPE which defines the set of rules and properties that the XML document must follow.

This is where an attacker can define either an internal or an external entity to be called.

An Internal Entity : If an entity is declared within a Document Type Definition (DTD) it is called an internal entity.

Syntax:

An External Entity: If an entity is declared outside a DTD it is called an external entity (Identified by SYSTEM).

Syntax:

While an external entity represents the heart of the operation, an internal entity is still the easiest way for an attacker — or a security practitioner — to detect a possible injection.

The exploitation of an XXE is mainly made possible due to DTDs which, in some cases, are activated by default.

Java seems to be the language that has the most libraries with DTDs enabled by default. In our experience, it’s common for an attacker to detect an XXE on a Java application using an XML parser (like Javax XML Bind library). In many other languages, DTDs must be explicitly activated. Many sites are therefore vulnerable due to a default configuration or because the site owner is unaware that the library in use enables this option by default.

How to detect XXE

In the following example, we show how an attacker using the internal entity will replace the content of the variable when the server parses the document.

This technique has no impact, it simply confirms that the DTDs are activated, but it can only work in the case where the server parsing the request returns a response to the user.

The complexity of an XXE lies in the many possible, and sometimes exotic, injection points.

A page that allows a user to send a Microsoft Office document, for example, is the kind of thing that immediately alerts an attacker to the possible presence of the vulnerability.

Behind the extension ‘.docx’ or ‘.xlsx’ hides a simple zip archive containing many files in XML format.

In the above example, it would be enough for an attacker to modify the file “xl/workbook.xml” to add your XXE payload then to recompress the files in zip with the extension .xslx.

The payload would be executed during the processing of the XML file(s).

Other less logical cases can, however, be present. On a file upload, for example, it is often common for an attacker to try to exploit this feature by sending an arbitrary file allowing them to trigger Cross-Site Scripting (XSS) or upload a WebShell.

But, in the case of a photo (taken directly from a camera or a smartphone), an application could try to parse the Extensible Metadata Platform (XMP) data of the image, which is actually XML, and can therefore also contain a payload.

Three common exploits for XXE

XXE provides attackers with multiple exploitation options. Three examples of common attack paths are:

Read arbitrary files on a server

Direct output in the target application response
Via an out-of-band interaction (blind injection)

Perform a DoS
Perform a SSRF through XXE

Read arbitrary files on a server

Going back to our example above, now that an attacker has confirmed the injection, they can try to read arbitrary files on the server.

We define an external entity identified by the SYSTEM directive and the payload ‘file:///etc/passwd’, which will be executed when parsing the XML document. The end result is that the contents of the file in the payload will be returned to the user. An attacker could exploit this vulnerability in order to read configuration files that could allow them to obtain additional access in order to compromise an organization.

An alternative to this technique is to force an error in the application’s XML parser to make it display the contents of a file.

An attacker would force the third party application to load an external DTD that contains the malicious payload, which will force an error in the application by asking it for a file that does not exist.

When the error is displayed, the application will show the contents of the file requested by the attacker.

One common mitigation technique is to apply a strict network filtering to prevent outbound connections. It’s a technically complicated technique; without diving into the details in this post, suffice to say it is possible to use a DTD already present on the system. For example, using software such as Tomcat, VMWare or Nmap, it will then be possible to call it in our payload and redefine on the fly parameters inside the loaded DTD.

In this example, our vulnerable machine has Nmap installed which includes the “/usr/share/nmap/nmap.dtd” file, which can be used for the attack.

We can also use the “out-of-band” (blind) technique in order to retrieve the content of a document and send it to an external server. This is useful in cases where the attacker is not able to solicit a response or error message from a server because the request is then processed by another service which returns a generic response.

Rather than confirming the possibility of injection with an internal entity, we will directly use an external entity and try to perform an HTTP call on our remote server.

Once confirmed, we will rely on the call of an external DTD which will contain the payload to execute.

The call to this external DTD will be executed by the server and will allow it to retrieve the content of a file and to send it to the attacker’s server.

Denial of Service

Denial of service via XXE is specifically called XML Entity Expansion because this attack takes advantage of calling several entities recursively.

As recursion is a costly operation at CPU level, the more entities are called, the longer the computation time will be.

The objective of the attack is to make a large number of recursive calls in order to crash the application or the server itself.

Example :

The entity “a2” recursively calls “a1” which itself calls “a0”. Through “a2” we call “a1” 15 times
The operation here is inexpensive in CPU time and is executed quickly causing no problems

Now “a6” calls “a5” which calls “a4” and so on recursively
The operation becomes expensive in CPU time and the application starts to have lag and takes time to respond

This attack is therefore very easy to automate to crash the server in a loop.

Server-Side Request Forgery

SSRF attacks have already been explained in a previous blog post, so without diving into technical details the important takeaway is that it is possible to perform an SSRF through XXE.

Instead of trying to read a file on the system, it is possible to specify the URL of an internal server in order to make the application perform a request to it.

When parsing the XML envelope, the server itself will make the request to the target server. An attacker can therefore have access to internal resources or folders that would not be available from the outside, like an internal vulnerable web application framework manager, which could lead to remote code execution (RCE).

Prevention and mitigation strategies

There are multiple best practices available to protect web applications and users in order to avoid vulnerabilities like XXE, but the safest way to prevent XXE is always to disable DTDs (External Entities) completely.

If it is not possible to disable DTDs completely, then external entities and external document type declarations must be disabled in the way that’s specific to each parser.

If this is not possible, it is necessary to put in place in-depth defense mechanisms such as:

Sanitize user-supplied inputs: In general, it is always recommended to filter user entries. If the web application can only send a request to identified and trusted applications, one possible countermeasure is to apply the allowlist approach. In the event that the applications in question are not known, input validation techniques can be added to ensure that the input string respects the expected format.

If possible, verify if the data received has the valid and expected format. When possible, validation should be done through available libraries, because regexes for complex formats are difficult to maintain and are error-prone.

Filter outgoing traffic to not allow loading of external DTDs.
Do not display application error messages to the user but rather display generic messages.

Use Tenable.io Web Application Scanning to detect XML External Entity flaws

Tenable.io Web Application Scanning helps identify XXE vulnerabilities through the classique scan & API scan feature, including the following dedicated plugins:

Plugin 98113 can detect generic XXE (Blind & Non blind) issues and helps identify commonly associated XXE vulnerabilities.
Plugins 98886, 98897 can detect various Apache SOLR XXE vulnerabilities.
Plugin 113199 can detect Jolokia is a JMX-HTTP bridge XXE vulnerability.

Get more information

Tenable.io Web App Scanning
OWASP – Server Side Request Forgery Prevention Cheat Sheet
All WAS XXE Plugins

All Icons are made by www.flaticon.com

Read More

Graham Cluley Security News is sponsored this week by the folks at SolCyber. Thanks to the great team there for their support! If the bad guys aren’t discriminating who they are attacking, how can your business settle for anything less than Fortune 500 level security? SolCyber has brought to market a new way to consume … Continue reading “How to get Fortune 500 cybersecurity without the hefty price tag”

Read More

Cyber now seen as most important component for adoption

Read More

Hartzbleed is a new side-channel attack that works against a variety of microprocressors. Deducing cryptographic keys by analyzing power consumption has long been an attack, but it’s not generally viable because measuring power consumption is often hard. This new attack measures power consumption by measuring time, making it easier to exploit.

The team discovered that dynamic voltage and frequency scaling (DVFS)—a power and thermal management feature added to every modern CPU—allows attackers to deduce the changes in power consumption by monitoring the time it takes for a server to respond to specific carefully made queries. The discovery greatly reduces what’s required. With an understanding of how the DVFS feature works, power side-channel attacks become much simpler timing attacks that can be done remotely.

The researchers have dubbed their attack Hertzbleed because it uses the insights into DVFS to expose­or bleed out­data that’s expected to remain private.

[…]

The researchers have already shown how the exploit technique they developed can be used to extract an encryption key from a server running SIKE, a cryptographic algorithm used to establish a secret key between two parties over an otherwise insecure communications channel.

The researchers said they successfully reproduced their attack on Intel CPUs from the 8th to the 11th generation of the Core microarchitecture. They also claimed that the technique would work on Intel Xeon CPUs and verified that AMD Ryzen processors are vulnerable and enabled the same SIKE attack used against Intel chips. The researchers believe chips from other manufacturers may also be affected.

Read More

Taiwanese manufacturer braced for twin threat

Read More

Russian cyber-criminals rented it out to other groups

Read More

This blog was written by an independent guest blogger.

Stop, look, listen; lock, stock, and barrel; “Friends, Romans, Countrymen…” The 3 Little Pigs; Art has 3 primary colors; photography has the rule of thirds; the bands Rush and The Police; the movie The 3 Amigos. On and on it goes – “Omne trium perfectum” – “Everything that comes in threes is perfect.”

While this article doesn’t provide perfection, we’ll focus on the top three API vulnerabilities (according to OWASP). OWASP’s international standard is important to read because it’s not only developed by professionals worldwide, but it’s also read by the threat actors who will take advantage of those vulnerabilities.

OWASP determines the risk of APIs based on the level of the API vulnerability’s Exploitability, Weakness Prevalence, Weakness Detectability, and Technical Impact. Therefore, the API Top 10 are in order of OWASP’s own risk methodology. Their risk method doesn’t consider the chance of materialization or the impact – that’s left up to each business. But these three are great places to start because they’ve affected large companies such as Peloton in 2021.

1. API1:2019 Broken Object Level Authorization (BOLA)

In this vulnerability, aka BOLA, APIs expose endpoints that handle object identifiers, which in turn allows visitors access to numerous resources. This attack is like Insecure Direct Object Reference (IDOR), where applications use user-supplied credentials to access objects. In the API sphere, BOLA is more accurate than IDOR – the problem is broken authorization over a sequence of API calls. Every call to a data source that uses user-provided input should include object level auth checks.

Here’s a simple example of how this works.

An API call has the following path: /customers/user/bob/profile. An attacker will attempt various names in place of “bob” to see what can be accessed, such as:

/customers/user/alice/profile

/customers/user/john/profile

Even if the name is replaced with long mixed characters, if those character sequences are sequential or otherwise guessable, the problem remains and is vulnerable.

Mitigation

Implement an authorization mechanism that relies on user policies and hierarchy.
Use an authorization mechanism to check if the logged-in user has authorization to perform the requested action on the record in every function that uses an input from the client to access a record in the database.
Use random and non-guessable values for record IDs.
Evaluate the authorization checks.

2. API2:2019 Broken User Authentication

When authentication mechanisms are implemented improperly, attackers can compromise authentication tokens or exploit implementation flaws by assuming other users’ identities.

A prominent example of this vulnerability is the 2021 Parler breach. Other factors came into play in the whole breach, but at least one endpoint did not require authentication, giving anyone who found it (and someone did) unhindered access to images.

Mitigation

Use industry-standard authentication and token generation mechanisms (and read the accompanying documentation).
Be aware of all the possible API authentication flows in the product or service (mobile/ web/deep links that implement one-click authentication/etc.).
Treat “forget password” endpoints as login endpoints in terms of brute force, rate limiting, and lockout protection.
Use the OWASP Authentication Cheat Sheet.
Implement multi-factor authentication wherever and whenever possible.
Check for weak passwords.
API keys should be used for client app authentication, but not user authentication.

3. API3:2019 Excessive Data Exposure

Developers, designers, and/or engineers may not take data sensitivity into consideration. They may favor using client-side filtering, which means that data is not filtered before reaching the user.

When testing, ask “What should the user know?” and display the minimum amount of data necessary.

Mitigation

Test or capture the API calls (using, e.g., Postman or OWASP ZAP) and look for “token” or “key” to see what it reveals.
Threat model the data to review the flow and data filtering.
Never depend on client-side filtering of sensitive data.
Review the API responses. Do they contain valid data?
Determine what data type is crossing the wire. Is it sensitive, confidential, PII, etc.? If it is, then it poses both security and privacy threats.

An important aspect of security and risk management is acknowledging that nothing is 100% secure or risk-free. There’s always a risk. One concept in self-defense is appearing hard to get. Someone who walks tall and confidently, has no visible jewelry or purse, and is not distracted is considered a much harder target for being accosted than someone who slumps, lazes along, has visible necklaces and bracelets, and is on the phone (distracted). The former doesn’t eliminate risk but presents a greatly reduced risk.

Securing APIs needs to move toward a confident posture and reduced risk model. Attackers are looking at the OWASP API Top 10 and other lists of common attack mechanisms, then applying those to their targets. An API that has missed any of these is at much greater risk than an organization that has addressed these, even if there are some other security issues (and there are always security issues). But if attackers have a difficult time making headway on a target, then it’s more likely that they’ll move on. A major challenge for organizations is that one never knows when or what attackers are doing, so staying on top of security maintenance is another challenge (think of it as job security). One way to become better acquainted with API security is to examine the fundamental aspects.

Focusing efforts on a few high-risk items won’t solve all the vulnerabilities, but that focus provides immediate guidance for engineering, developers, security, and privacy teams. In turn, this provides a roadmap for projects and tasks and prevents any appearance of negligence. These active and engaged responses to known vulnerabilities increase service security and customer trust.

Read More

Cryptojacking definition

Cryptojacking is the unauthorized use of someone else’s compute resources to mine cryptocurrency. Hackers seek to hijack any kind of systems they can take over—desktops, servers, cloud infrastructure and more—to illicitly mine for crypto coins.

Regardless of the delivery mechanism, cryptojacking code typically works quietly in the background as unsuspecting victims use their systems normally. The only signs they might notice is slower performance, lags in execution, overheating, excessive power consumption, or abnormally high cloud computing bills.

How cryptojacking works

Coin mining is a legitimate process in the cryptocurrency world that releases new cryptocurrency into circulation. The process works by rewarding currency to the first miner who solves a complex computational problem. That problem completes blocks of verified transactions that are added to the cryptocurrency blockchain.

To read this article in full, please click here

Read More

MongoDB CISO Lena Smart wants to make a good impression on prospective employees.

So she’s attentive to what goes into the ads she posts when seeking to hire.

“I think people forget that these are the first introductions that many candidates have to their companies, and first impressions matter,” she says.

That may matter more today than ever before, given how much movement there is in the labor market overall and, more specifically, how fierce competition is for cybersecurity talent.

Of course, writing a compelling job posting isn’t an exact science, but Smart seems to have a knack for it. Even in this employee-driven market, one of her recent openings attracted 1,000 applicants.

To read this article in full, please click here

Read More