Entries by AppSec Labs

XXE – iOS secure coding

libxml2 iOS includes the C/C++ libxml2 library described in C/C++ secure coding examples, so that guidance applies if you are using libxml2 directly. However, the version of libxml2 provided up through iOS6 is prior to version 2.9 of libxml2 (which protects against XXE by default). NSXMLDocument iOS also provides an NSXMLDocument type, which is built […]

XXE – Java secure coding

Java applications using XML libraries are particularly vulnerable to XXE because the default settings for most Java XML parsers is to have XXE enabled. To use these parsers safely, you have to explicitly disable XXE in the parser you use. The following describes how to disable XXE in the most commonly used XML parsers for […]

XXE – .NET secure coding

Prior to .NET 4.0 In .NET Framework versions prior to 4.0, DTD parsing behavior for XmlReader and XmlTextReader is controlled by the Boolean ProhibitDtd property found in the System.Xml.XmlReaderSettings and System.Xml.XmlTextReader classes. Set these values to true to disable inline DTDs completely: XmlReader XmlReaderSettings settings = new XmlReaderSettings(); settings.ProhibitDtd = true; // Not explicitly needed […]

XXE – C/C++ secure coding

libxml2 The Enum xmlParserOption should not have the following options defined: XML_PARSE_NOENT // Expands entities and substitutes them with replacement text XML_PARSE_DTDLOAD // Load the external DTD Note: starting with libxml2 version 2.9, XXE has been disabled by default as committed by the following patch: http://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f. Reference: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#C.2FC.2B.2B

XXE Injection

Description Different client technologies such as Web, Mobile Cloud and more – sends messages to business applications using XML. In order for the application to work with these self-descriptive XML messages, it has to parse them and check that the format is correct. XML External Entity (XXE) attacks occurs when the attacker declares an external entity […]

Disable Excessive headers – Apache

Methods 1. To remove the Server header, follow these steps: Load the hread module in the Apache httpd.conf file, by adding the following line: After headers_module is loaded, set the following lines in httpd.conf: ServerSignature removes the version ifnp from the page generated by apache web server (e.g. 403, 404, 502, etc.) ServerTokens changes Header to production only, i.e. Apache Restart apache service. 2. […]

Disable Excessive headers – IIS

Methods 1. Remove the Server header by adding the following code to the Global.asax.cs file in your project: 2. To remove the X-AspNet-Version header set the following, in the Web.config: 3. To remove X-AspNetMvc-Version, add the following line in the Application_Start event in Global.asax: 4. To remove the X-Powered-By header set the following in the Web.config file: 5. To suppress […]

Fingerprint Web Application Framework

Description If a framework version number is being disclosed by the application in the response header, an attacker can use this information to find and exploit known vulnerabilities, specific to the used framework(s). This increases the likelihood of anattack and also allows an attacker to launch a more focused attack on the application. Such headers […]