Sep 23, 2007 - Learning Objectives: Tutorial attendees will learn about require- ments for combined DB and IR applications that access XML content; learn about ... IR and XML query processing; learn about XML retrieval evaluation, INEX in ...
collection of book data, there may be an editor for a book, or ... which is designed to locate the title of each book pub- ..... two kinds of errors were not equivalent.
[email protected]. Mounia Lalmas. Queen Mary College, University of London. London, United Kingdom [email protected]. ABSTRACT. This poster ...
Keywords: XML, structured document, logical structure, element, focused ... or documents covering a wide variety of topics (e.g. books, user manuals, legal.
... opportunises lead to many vulnerabilises: â Adobe (@agarri_fr, spasibo). â PostgreSQL (@d0znpp), PHP, Java. â¢
treatments, therapies, drugs administered, patient identifying information, legal permissions, and allergies. These records have been represented by. XML format ...
The XXL Search Engine: Ranked Retrieval of XML Data using Indexes and
Ontologies. Anja Theobald. Gerhard Weikum. University of the Saarland.
University ...
play an important role in webpage or article presentation. ... search engines, an XML document search engine using both content and struc- .... Submissions.
queries requesting more details, e.g. âreturn the paragraph that contains an image ... A picture is worth a thousand words, and many documents therefore contain a ... large it is time consuming to add the keywords. ..... As shown by examples in.
serve dependency A, B → C. We focus on normalization procedure for XML schemas with cyclic XFDs. The contributions of the paper are the following: – We use ...
2 Queen Mary, University of London, UK. {mounia,tassos,theodora}@dcs.qmul.ac.uk. ABSTRACT. The primary aim of XML element retrieval is to return to users.
Dec 5, 2013 - An Exponentiation Method for XML Element Retrieval .... XML Indexing Methods. .... Ogilvie and Callan [7] is based on language models and.
search engines that operate on the legal documents usually offer a full-text search (i.e., ... For information retrieval from document-centric XML data, the research ...
[JS91] Brian Johnson and Ben Shneiderman. Tree-Maps: A Space Filling Approach to the Visual- ization of Hierarchical Information Structures. Technical Report ...
Email: [email protected]. ABSTRACT ... define data format (as in HTML), tags defining the ... XML format so as to represent a relational data view.
Keywords. XML information retrieval, Web data indexing, semistruc- tured data indexing, full text ... tion 5 presents the ranking scheme and section 6 discusses.
Feb 23, 2009 - 2 Theoretical Evaluation. 3 Theoretical Evaluation of INEX XML Retrieval Models. 4 XML Retrieval Evaluation Evaluation. Tobias Blanke (2009).
relationships among data are established through nested levels or references among .... variable $t (the established ones by the SELECT clause from SQL).
This chapter appears in the book, Web-Enabled Systems Integration: Practice and Challenges edited by. Ajantha ... Thus, integrating IR and XML search techniques will enable more sophis- .... Full Fabrication Labs, Inc. ... and thus are greatly inspir
Aug 11, 2006 - Expected Precision-Recall with User Modelling (EPRUM). Benjamin ... ABSTRACT. Standard Information Retrieval (IR) metrics assume a simple model .... ments, can overlap conceptually (they can contain the same answer .... is naught and t
and product server node is defined by a separate ..... 11 service. Developers implement query handlers using Java's type model, which separates types.
Widom, Janet L. Wiener, "The Lorel query language for semistructured data" ... [4] Elisa Bertino, Giovana Guerrini, Isabella Merlo and Marco. Mesiti, "An ...
The world of data has been developed from two main points of view: the struc- ... put forward by the Information Retrieval and the Database communities and.
Jun 21, 2004 - TDM'04, the first Twente Data Management Workshop on XML Databases ..... players involved in the scenes, distance in time stamp, whether the scenes .... storage, or memory prefetching on modern computing hard- ware.
Alexey Osipov. XML Out-âOf-âBand Data Retrieval ... Security tools and Proof of Concepts developer. ⢠SCADA .... C
XML Out-‐Of-‐Band encoding="uq-‐8"?> ]> &8tle;
local_file.xml:
XXE aJacks restricAons • XML parser reads only valid xml documents – No binary =( (hFp://www.w3.org/TR/REC-‐xml/#CharClasses) – Malformed first string (no encoding aFribute) (Some parsers) – But we have wrappers!
• Resul8ng document should also be valid – No external en88es in aFributes
ENTITIES IN ATTRIBUTES
System enAAes restricAons bypass within aJributes Well-‐formed constraint: – No External En8ty References
• So, this is not possible, right? ">
PaJern validaAon
DEMO
OUT-‐OF-‐BAND ATTACK
XXE aJacks restricAons Server-‐side in general (except Adobe XXE SOP bypass)
XXE OOB
XXE OOB What other OOB communica8on techniques are present? DNS exfiltra8on via SQL Injec8on (@stamparm) UTL_HTTP.REQUEST xp_fileexist Dblink LOAD_FILE
XXE OOB %remote; %int; %trick;]> Evil.xml
XXE OOB DTD Parsing, SYSTEM reading
AFacker
XML
Server
PROFIT!
Parsing restricAons • Beside restric8ons of all en88es there are also new ones • “PEReferences forbidden in internal subset” (c) XML Specifica8on – So we should be able to read some external resource (local or remote) – Wrappers
Parsing restricAons • Quotes are blocking defini8on of en88es – One should try single/double quotes when defining en8ty
XSLT OOB • Depending on available features we can: – Get non-‐xml data using “unparsed-‐text” func8on – Enumerate services/hosts with “*-‐available” func8ons – With substring() we can cra_ such DNS hostname, that will let us obtain some sensi8ve data via malicious DNS request to our server
DEMO
Vectors
XML
WAT R U DOIN?
XML
STAHP!
SUMMARY
XXE OOB Profit • Server-‐side – Send file content over DNS/HTTP/HTTPs/Smb? – Without error/data output
• Client-‐side products – Nobody has ever tried to hack oneself ;) – Lots of products…
Parsers diff – MS with System.XML • Pros: – URL-‐encodes query string for OOB technique – Saves all line feeds in aFributes
• Cons: – Can’t read XML files without encoding declara8on (we can s8ll read Web.config .NET) – No wrappers (except system-‐wide)
Parsers diff – Java Xerces • Pros: – Can read directories! – Sends NTLM auth data – Different wrappers
• Cons: – Converts line feeds to spaces when inser8ng in aFribute – Can’t read mul8line files with OOB technique
Parsers diff – libxml (PHP) • Pros – Wrappers! (expect://, data://) (hFp://www.slideshare.net/phdays/on-‐secure-‐ applica8on-‐of-‐php-‐wrappers) – Most liberal parsing ???
• Cons – Can’t read big files by default (>8Kb)
Parsers diff MS System.XML External en8ty in aFribute value OOB read mul8line OOB read big files Directory lis8ng Valida8ng schema loca8on
+ + + – –
Java Xerces
Libxml (PHP)
Line feeds are converted to spaces
+ +
– + + +
Op8on is o_en enabled
– –
DEMO
Tools XXE OOB Exploita8on Toolset for Automa8on • DNS knocking • Vectors set • HTTP Server
Tools Metasploit module (special thnx2 @vegoshin) • Vector set and HTTP server provided to you in your MSF ;-‐)
DEMO
Conclusions
• General ruina8on? ;-‐) • Toolset • New ideas for new vectors and applica8ons
