Bypassing Restrictive Perimeter Firewalls

The XML port scanning technique described in this paper allows an attacker to utilise an XML parser to execute port scanning of systems behind a restrictive perimeter firewall. While the technique relies on some reasonably specific implementation details in order to be exploitable remotely, it is potentially applicable to any application that accepts XML document inputs. Several workarounds exist and have been detailed in this paper and the technique does not offer the ability to perform advanced fingerprinting or analysis of the underlying operating system of hosts. However, this technique demonstrates the danger that inadequately configured XML parsers can pose to an organisation and highlights the inability of traditional network security devices to handle application-level threats. Overview The use of eXtensible Markup Language (XML) has become largely ubiquitous as a means for exchanging information between heterogeneous platforms and systems. XML lies at the core of growing technologies such as web services and AJAX web applications and XML endpoints are commonly exposed to the Internet over ports 80 or 443. The extensible nature of XML provides significant flexibility in representing arbitrary data formats, and a number of supporting standards have been defined to allow the transformation, definition and transmission of XML data in a standardised manner. The XML parser is critical to the processing of XML and is often a complex and powerful software component. However, through exploiting weaknesses in default XML parser configurations, this component can be abused to perform malicious activities that undermine the perimeter security of an organisation's network and provide an attacker with detailed information about systems within an organisation. This can typically be achieved even in the presence of a highly restrictive perimeter firewall.