XML External Entity Injection (XXE) Exploitation (OWASP Top 10 - A4)
Details
• What we'll do
Abstract:
Modern day applications continue to use XML as a form of data transfer and representation due to the dynamic and cross platform nature of it. However, if the XML parser is not configured correctly, it can introduce vulnerabilities known as XML external entity injection which can result in full remote code execution resulting in complete compromise of the backend web webserver. This vulnerability has now become prevalent enough for it to be included within the OWASP Top 10 2017. This talk will cover what XXE is, how to identify it, how to exploit it, and finally how to prevent it.
Note: Students are encouraged to bring testing laptops with BurpSuite installed to perform their own exploitation on a vulnerable application. The Kali Linux distro by default already has the free BurpSuite free edition installed.
Bio:
Andrew Weidenhamer is a director in the RSM LLP technology risk advisory services practice. With close to 15 years of consulting experience within the information security and data governance field, Andrew has a unique combination of technical and business related skills which allow him to perform in multiple roles. The bulk of his Security/Privacy experience however is comprised of leading and conducting technical testing engagements which include Internal, External, and Web Application Penetration Testing spanning a wide variety of industry sectors. As the National Security Testing team lead at RSM, Andrew’s responsibilities range anywhere from formal testing methodology and employee development to vendor evaluations and other business development activities.
Outside of work Andrew is the co-lead for the DC OWASP chapter and has held the responsibility as call-for-paper selection chair for OWASP’s annual US flagship conference, AppSec USA. Andrew has had the privilege of speaking at national security and hacking conferences such as Defcon, OWASP AppSec, and Rochester Security Summit to name a few. He has also worked with security researchers on pentesting tool development and has author credits on a well-known red teaming offensive security book. Currently, Andrew is working with other members of the RSM team on a post exploitation red teaming tool to hopefully present at an upcoming hacker conference. Finally, he keeps his skills sharpened by taking industry leading red teaming training such as the Pentesting with Kali Linux and Cracking the Perimeter offensive security courses and has his Offensive Security Certified Professional certification.