XML Attack
这篇文章主要介绍如何利用XML的DOCTYPE属性进行恶意攻击和如何防范这类的攻击。
我们先看2个XML应用片段
场景1:在XML使用DTD
family.xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE family SYSTEM "family.dtd">
<family lastname="Smith">
<member memberid="m1">Sarah</member>
<member memberid="m2">Bob</member>
<member memberid="m3" mom="m1" dad="m2">Joanne</member>
<member memberid="m4" mom="m1" dad="m2">Jim</member>
</family>
family.dtd
<!ELEMENT family (member*)> <!ATTLIST family lastname CDATA #REQUIRED> <!ELEMENT member (#PCDATA)> <!ATTLIST member memberid ID #REQUIRED> <!ATTLIST member dad IDREF #IMPLIED> <!ATTLIST member mom IDREF #IMPLIED>
场景2:在一个XML中引用另一个XML
family.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE family [<!ENTITY other SYSTEM "other.xml">]>
<family lastname="Smith">
<member memberid="m1">Sarah</member>
<member memberid="m2">Bob</member>
<member memberid="m3" mom="m1" dad="m2">Joanne</member>
<member memberid="m4" mom="m1" dad="m2">Jim</member>
&other;
</family>
other.xml
<?xml version="1.0" encoding="UTF-8"?> <ok/>
Java解析代码示例:
public static void main(String[] arg) throws Exception {
InputStream is = this.getClass().getResourceAsStream("family.xml");
DefaultHandler handler = new DefaultHandler();
SAXParserFactory f = SAXParserFactory.newInstance();
f.setNamespaceAware(false);
SAXParser parser = f.newSAXParser();
parser.parse(is, handler);
}
在解析场景1和2中的family.xml时,若相关的文件的路径都正确,那么解析不会出现任何问题。若是场景1中family.dtd或者是场景2中的other.xml不存在时,我们就会发现解析时会出现如下异常:
Exception in thread "main" java.io.FileNotFoundException: /somepath/xxx/family.dtd (The system cannot find the file specified) at java.io.FileInputStream.open(Native Method) at java.io.FileInputStream.<init>(FileInputStream.java:106) at java.io.FileInputStream.<init>(FileInputStream.java:66) at sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java:70) at sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnection.java:161) at com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(XMLEntityManager.java:653) at com.sun.org.apache.xerces.internal.impl.XMLEntityManager.startEntity(XMLEntityManager.java:1315) at com.sun.org.apache.xerces.internal.impl.XMLEntityManager.startEntity(XMLEntityManager.java:1252) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanEntityReference(XMLDocumentFragmentScannerImpl.java:1906) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:3032) at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:648) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:511) at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:808) at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:737) at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:119) at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1205) at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:522) at javax.xml.parsers.SAXParser.parse(SAXParser.java:395) at javax.xml.parsers.SAXParser.parse(SAXParser.java:198)
看到这个异常,你会想到什么?
在解析时它试图寻找family.dtd或者other.xml,那么我们是否可以用这个机制干点什么坏事
?
再看下面2个xml片段:
场景1更新:将dtd的地址指向http://badsite/attack/attack.jsp
<?xml version="1.0" standalone="no"?>
<!DOCTYPE family SYSTEM "http://badsite/attack/attack.jsp">
<family lastname="Smith">
<member memberid="m1">Sarah</member>
<member memberid="m2">Bob</member>
<member memberid="m3" mom="m1" dad="m2">Joanne</member>
<member memberid="m4" mom="m1" dad="m2">Jim</member>
</family>
场景2更新:将other.xml指向http://badsite/attack/attack.jsp
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE family [<!ENTITY attack SYSTEM "http://badsite/attack/attack.jsp">]>
<family lastname="Smith">
<member memberid="m1">Sarah</member>
<member memberid="m2">Bob</member>
<member memberid="m3" mom="m1" dad="m2">Joanne</member>
<member memberid="m4" mom="m1" dad="m2">Jim</member>
&attack;
</family>
如果我们在去解析这2个xml片段,就会发现它会去访问http://badsite/attack/attack.jsp这个地址。此时想必你已经知道下一步该怎么做了吧。
那么如何防范这类破坏呢?
对于场景1,我们在解析xml时需要禁止加载额外的dtd和验证
f.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
f.setFeature("http://xml.org/sax/features/validation", false);
验证标记默认是为False的。
对于场景2,目前我还没有找到比较好的方式,只能在解析式时禁止使用doctype定义——比较粗鲁了。
f.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
这种方式对场景1也是适用的。
对于场景1和2继续做了如下5组测试
组合1:
f.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE family [<!ENTITY attack SYSTEM "http://badsite/attack/attack.jsp">]>
<family lastname="Smith">
<member memberid="m1">Sarah</member>
<member memberid="m2">Bob</member>
<member memberid="m3" mom="m1" dad="m2">Joanne</member>
<member memberid="m4" mom="m1" dad="m2">Jim</member>
</family>
出现异常:
Exception in thread "main" java.lang.NullPointerException at com.sun.org.apache.xerces.internal.impl.dtd.XMLDTDProcessor.startDTD(XMLDTDProcessor.java:685) at com.sun.org.apache.xerces.internal.impl.XMLDTDScannerImpl.scanDTDInternalSubset(XMLDTDScannerImpl.java:364) at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$DTDDriver.dispatch(XMLDocumentScannerImpl.java:1141) at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$DTDDriver.next(XMLDocumentScannerImpl.java:1090) at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$PrologDriver.next(XMLDocumentScannerImpl.java:977) at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:648) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:511) at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:808) at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:737) at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:119) at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1205) at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:522) at javax.xml.parsers.SAXParser.parse(SAXParser.java:395) at javax.xml.parsers.SAXParser.parse(SAXParser.java:198)
组合2:
f.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE family [<!ENTITY attack SYSTEM "http://badsite/attack/attack.jsp">]>
<family lastname="Smith">
<member memberid="m1">Sarah</member>
<member memberid="m2">Bob</member>
<member memberid="m3" mom="m1" dad="m2">Joanne</member>
<member memberid="m4" mom="m1" dad="m2">Jim</member>
</family>
则解析通过,且并未访问http://badsite/attack/attack.jsp恶意页面
组合3:
f.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE family [<!ENTITY attack SYSTEM "http://badsite/attack/attack.jsp">]>
<family lastname="Smith">
<member memberid="m1">Sarah</member>
<member memberid="m2">Bob</member>
<member memberid="m3" mom="m1" dad="m2">Joanne</member>
<member memberid="m4" mom="m1" dad="m2">Jim</member>
&attack;
</family>
解析通过,但要求访问http://badsite/attack/attack.jsp,将返回结果写入到xml中
组合4:
f.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE family [<!ENTITY attack SYSTEM "http://badsite/attack/attack.jsp">]>
<family lastname="Smith">
<member memberid="m1">Sarah</member>
<member memberid="m2">Bob</member>
<member memberid="m3" mom="m1" dad="m2">Joanne</member>
<member memberid="m4" mom="m1" dad="m2">Jim</member>
&attack;
</family>
解析失败,异常同组合1
组合5:
f.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
<?xml version="1.0" standalone="no"?>
<!DOCTYPE family SYSTEM "http://badsite/attack/attack.jsp">
<family lastname="Smith">
<member memberid="m1">Sarah</member>
<member memberid="m2">Bob</member>
<member memberid="m3" mom="m1" dad="m2">Joanne</member>
<member memberid="m4" mom="m1" dad="m2">Jim</member>
</family>
无论设定 http://xml.org/sax/features/validation 与 http://apache.org/xml/features/nonvalidating/load-external-dtd 为True 或 False,解析都通过
综上:在解析xml时,忽略doctype定义是比较有效的方式。