Why is Cybersecurity hard? XXE injection

Where do we start?

In the beginning …  well, fortunately we do not have to talk creation or evolution, let’s just go back to early 90’s when the Microsoft Windows Operating system hit a large market share of all personal computing systems. If you look at the early Windows systems, they were not built out of the gate to get on a network. The network infrastructure was added on to the system, like a lot of items were added on (like a sound system) or a webcam. There was no web browser until the Web was built.

The servers may have been built with network in mind, but not with security and authentication.

This was the first website(1990) from http://info.cern.ch and http://webfoundation.org/about/vision/history-of-the-web/:

firstwebpageWWW

Notice no pictures, only links and text, even the text is not  formatted, just a basic text font of the early web. The reason for this was that the Web page was only replacing FTP from command line or gopher (a similar program as ftp) as an “app”. The Web app made using the Windows and Mac graphical operating system easy to use the network, although the look was not important yet. Slowly more and more functionality was added to websites. But no one thought about security at the time. People were just figuring out (I was going to write struggling) but it was just a slow understanding of what the web really meant to business commerce, education, and more.

Remember Google did not get built until 9/4/1998 http://www.google.com/about/company/history/

So the web was building slowly without too many security thoughts.

The secure authentication protocol(https- port 443) was started after credit cards were to be used in ecommerce on the web as Phillip Remaker discusses in his blog: http://www.quora.com/What-is-the-history-of-HTTPS. The certificate authority  is to use a digital certificate created using public-key encryption technology.

As this method was used and tested for security the protocol went through 3 major version upgrades (SSL3.0), on 1999 TLS was started with TLS 1.0.   As you may know the security industry is moving away from SSL and to TLS1.2 today due to POODLE.

As we discussed on October 14th http://oversitesentry.com/the-sslv3-vulnerability-fix-and-explanation/ .

Why is Cybersecurity hard? Because we are building security around protocols and computer systems that were not built with security builtin.  So functionality was invented, and security built after the fact. In fact most websites and systems are built just to run our ever increasing demands for more and more functionality:

1. Pictures and text

2. Javascript programmatic functionality

3. Flash (moving pictures is the effect)

4. Other HTML program function

The way we are trying to help create security where there was none is to test the applications and systems by testing them to see how they operate with a battery of tests.

Which is why I have created a number of specific services to test our imperfect systems.  (A – Σ – Ω) Solution

 

Here is a today problem, in case you are questioning – why go over the past?

https://isc.sans.edu/forums/diary/Blindly+confirming+XXE/19257/   Discusses XXE (XML External Entity) vulnerabilities – an XML document server side

Always going to OWASP for application security testing:

https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing

And here we are – someone thought up XML the standard, and did not think about XML injection.

So now if you have XML it has to be tested on your server, since we have to build security after the site and technology was developed.

Contact me to discuss your cybersecurity needs

Tony Zafiropoulos – tonyz “at” fixvirus.com