XML injection in a SOAP request

[Logan.M]

I have a problem with the web services in Java. I created this web service:

1. Web service interface

Code:

@ WebService (name = "MyWebService") 
@ SOAPBinding (style = Style.RPC) 
public interface MyWebService {
@ WebMethod 
public String doLogin (@ WebParam (name = "lastname") String lastname, 
@ WebParam (name = "firstname") String firstname, 
@ WebParam (name = "password") String password); 
// ... other methods ... 
}

2. Enpoint web service

Code:

@ Stateless 
@ WebService ( 
endpointInterface = "webservice.MyWebService" 
portName = "MyWebServicePort" 
serviceName = "MyWebService") 
public class MyWebServiceEndpoint implements MyWebService {
public String doLogin(String lastname, String firstname, String password) {
createLogin (lastname, firstname, password); 
}
// ... implementation of other methods ... 
}

I then deployed my EAR application on Sun Java Application Server, the deployment works correctly and use SoapUI methods to test my web service, everything is working properly, where is my problem is that I can do an XML injection (injection or Tag) with my soap request.

If I take the example below, you can see my soap request that is sent to my server from SoapUI.

Code:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="web:"> 
<soapenv:Header> 
</soapenv: Header> 
<soapenv:Body> 
<web1:doLogin xmlns:web1="http://webservice.example.com/"> 
<firstname> John </firstname> 
<lastname> Brown </lastname> 
<password> john_pass33 </password> 
<lastname> Kennedy </lastname>
</web1: doLogin> 
</soapenv: Body> 
</soapenv: Envelope>

As you can see I managed to inject 2 tags <lastname> my server accepts this and takes into account the 2nd tag, ie in this example the name "Kennedy" will be used and not name "Brown".

I tried to use XML schema but nothing changes I can always send a query with 2 tags with the same name and is always the last tag is taken into account by the server.

I would like to know if someone could help me by telling me how he can not have this kind of problem, ie it is possible to create a soap request with the same 2 name as parameter or ignore the 2nd tag, etc?

[fellah]

What do you call an XML injection? You sent the request as is, no?

[Logan.M]

Yes, I sent the request as it is (in fact, copy and paste from SoapUI), and as you can see in the following query I sent 2 tags <lastname> (line 7 and line 9 ) is what I call "XML Injection" or if you prefer "Tag Injection". The server accepts my request and take into account the 2nd Tag and ignores the first. What I want is that the server does not accept such a request. And as I said I tried to create an XML Schema, but it changes nothing to my problem, so I am somewhat at an impasse.

Code:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="web:"> 
<soapenv:Header> 
</soapenv:Header> 
<soapenv:Body> 
<web1:doLogin xmlns:web1="http://webservice.example.com/"> 
<firstname> John </firstname> 
<lastname> Brown </lastname> 
<password> john_pass33 </password> 
<lastname> Kennedy </lastname> 
</web1: doLogin> 
</soapenv: Body> 
</soapenv: Envelope>

Do you have an idea? Or someone else can help me?

[fellah]

It is not at all from the injection of tags, as you send the request in full. And there are no security problems.

If you want to make it more strict XML format, you can play on the XSD schema (xsd: sequence and xsd: element with maxOccurs = 1). Nevertheless it that the framework that you use webservice supports XSD validation.

[Logan.M]

Yes I agree with you, but I send the complaint as example so that everyone can understand my problem, now if such a request is possible it is also possible to inject a tag in a SOAP request that is intercepted and the server will see that no fire will be influenced by the tag that you injected, now do not go into details of how an attacker can do this and any complications, I simply gave an example of that that is what I want to solve a problem.