#HITB2012AMS D2T2 - Nicolas Gregoire - Attacking XML Preprocessing





The interactive transcript could not be loaded.


Rating is available when the video has been rented.
This feature is not available right now. Please try again later.
Published on Jun 24, 2012


Presentation Materials: http://conference.hitb.org/hitbseccon...

Documenting more than a year of research in XML technologies, this talk will detail security implications of the XML format and its processing practices.

Discussed targets range from browsers to enterprise-level security solutions and web-service back-ends. Several key technologies will be addressed: XML grammar aka DTD, homo-iconicity and self-contained dynamic SVG images, design and implementation vulnerabilities in XSLT and XPath engines, in-memory exploitation of Java-based XSLT engines, XML databases and many more ... PoC code has and will systematically be released for every (patched) vulnerability.

The goal of this presentation is to document and publicize state of the art attacks including:

- Data obfuscation in XML containers (Adobe, VLC, ...)
- DTD manipulation used to read (possibly binary) files, steal hashes or generate XSS
- Dangerous extensions in newly studied XSLT and XQuery engines (Adobe, Oracle, XT, 4Suite, ...)
- Grammar and mutation-based fuzzing of XPath and XSLT engines
- Bizarre combination of grammar, data, code and markup in a single XML file
- How to trigger XSLT code in security protocols (SAML, WS-Security, ...)
- Advanced in-memory exploitation of Java based XSLT engines


Nicolas Grégoire has worked in Information Security for more than ten years. After initially jobbing in a start-up, he spent 4 years doing full-time pen-testing as a consultant. Afterwards, he moved into the nice region of Luberon and became an internal security auditor for one of largest French PKI.

In early 2011, he left this job to create Agarri, a small company dedicated to the offensive side of information security : pen-testing, white / gray / black-box audit, code review, vulnerability research, trainings, etc. Since then, he published several vulnerabilities in well-known high-profile products such as Webkit, PHP, DotNetNuke, VMware ESX, Excel, HP SAN appliances, ... His current research focus is XML technologies at large.


When autoplay is enabled, a suggested video will automatically play next.

Up next

to add this to Watch Later

Add to

Loading playlists...