XSLT Server Side Injection Attacks by David Turco.
From the post:
Extensible Stylesheet Language Transformations (XSLT) vulnerabilities can have serious consequences for the affected applications, often resulting in remote code execution. Examples of XSLT remote code execution vulnerabilities with public exploits are CVE-2012-5357 affecting the .Net Ektron CMS; CVE-2012-1592 affecting Apache Struts 2.0; and CVE-2005-3757 which affected the Google Search Appliance.
From the examples above it is clear that XSLT vulnerabilities have been around for a long time and, although they are less common than other similar vulnerabilities such as XML Injection, we regularly find them in our security assessments. Nonetheless the vulnerability and the exploitation techniques are not widely known.
In this blog post we present a selection of attacks against XSLT to show the risks of using this technology in an insecure way.
We demonstrate how it is possible to execute arbitrary code remotely; exfiltrate data from remote systems; perform network scans; and access resources on the victim’s internal network.
We also make available a simple .NET application vulnerable to the described attacks and provide recommendations on how to mitigate them.
…
A great post for introducing XML and XSLT to potential hackers!
Equally great potential for a workshop at a markup conference.
Enjoy!