Thursday, January 24, 2008

XMLHTTP on the Server Side

RSnakes post on intranet hacking using web sites got the gears in my head turning a couple of months ago.

I started playing around with the MSXML and WinHTTP libraries from Microsoft. A quick google for XMLHTTP will generate alot of results concerning client side/AJAX stuff, but over the years I've seen XMLHTTP used quite a bit on the server side (for server to server communication). I've also seen it used interchangeably with WinHTTP to make server side HTTP requests.

I wrote a simple classic ASP script to do some tests. The script takes a resource location as a
querystring parameter, and makes a server side request for the resource. It then sends the response to the user via Response.Write(). Since this is a simple script and performs no validation, you can pass the script internal host names on the web servers local network, send HTTP requests to them, and analyze/display the responses (or lack there of). This is the basic premise of RSnakes paper.

dim http
set http = createobject("Msxml2.XMLHTTP")
'set http = createobject("Msxml2.ServerXMLHTTP.4.0")
'set http = createobject("Msxml2.XMLHTTP")
'set http = createobject("Microsoft.xmlhttp")
'Set http = CreateObject("WinHttp.WinHttpRequest.5.1") "GET", request.querystring("url"), false
response.write http.ResponseText
set http = nothing

Next, I started playing around with different protocols. Not too much interesting here, until I got to the file:// protocol, which WinHTTP complained was invalid.

Example URL: file:///c:/windows/system32/drivers/etc/hosts

MSXML.XMLHTTP on the other hand, did not:

Using XMLHTTP allowed me to view arbitrary files on the web server. Pretty cool. So if you use MSXML.XMLHTTP in your application and pass it user supplied URL's without validating them, you could introduce an information disclosure vulnerability in your application.

I did some more digging to find out what the appropriate uses of the different versions of MSXML and WinHTTP are. I found one interesting discussion here .

I also found that there is a separate class in MSXML to use when doing server-to-server communication. While MSXML2.XMLHTTP returned local files, MSXML2.ServerXMLHTTP gave the same error that WinHTTP does: Invalid Protocol.

So it turns out that the ServerXMLHTTP class is more robust then regular XMLHTTP. From

"With version 3.0, MSXML introduced ServerXMLHTTP, a class designed to do server-side HTTP access. ServerXMLHTTP is based on WinHTTP, a new HTTP access component from Microsoft that is designed to be thread-safe, scalable, and UI-less. ServerXMLHTTP is really a very powerful class and can really come very handy while doing server-to-server or cross-tier HTTP data communication."

To sum this post up, if you're going to allow users to specify resources for server side requests via MSXML, use ServerXMLHTTP!


Anonymous said...

Just wanted to let you know I found this post very interesting and it very much helped me with a project I'm working ok.


Mike Zusman said...

Great! Glad it was useful. Thanks for the comment.