DETECTION AND EXPLOITATION XML ENTITY INJECTION(XXE)
INTRODUCTION
XML External Entity Attack is a type of injection or input validation vulnerability which occurs in an application that allows any input parameter or data to be XML input or input which is combined into XML form data, and it is passed to an XML parser running with sufficient privileges to include external or system files.
Recently, there has been an increase in the use of XML documents due to the growing use of the web services such as REST API and SOAP, which commonly use XML to process the data.
XML has a feature to create entities dynamically; some of the objects are predefined, and they referenced by using an ampersand (&) and a semicolon (;) at the end. However, XML also allows us to create custom entities, the most popular being the internal and external entities. Internal entities can be used to reference internal data and external entities to reference data from external sources.
EXAMPLE FOR INTERNAL ENTITY:
<!DOCTYPE profile [<!ENTITY name "Brisk Infosec">]> <Profile> <name>&name;</name> <class>Cyber Security</class> <service>Pentest</service> </profile>
In the first line, we have defined an entity “name” having a value “Brisk”; the block used to define the entities is known as the DTD block. Next, in the third line, you can see that we have referenced the entity “&name;”, which holds the value “Brisk.” In this way, we don’t have to input the name each time. All we have to do is use a reference to the entity.
EXAMPLE FOR EXTERNAL ENTITY:
<!DOCTYPE profile [<!ENTITY name SYSTEM "http://target.com/profile ">]> <Profile> <name>&name;</name> <class>Data</class> <service>pentest</service> </profile>
In the first line, in the DTD block, we have defined an external entity, which contains a link to an external resource. When this XML document is processed, it would request an external source and would replace values of all instances of “&name;” with the content of the external resource. If the content of the external resource is processed and displayed back to the user without proper validation, an attacker may be able to abuse the parser in conducting an XXE injection attack.
To find any XXE (XML External Entity) vulnerability, attacker or tester needs to inject XML characters in all input fields and observe if XML parsing errors are generated.
To find any XXE (XML External Entity) vulnerability, attacker or tester needs to inject XML characters in all input fields and observe if XML parsing errors are generated.
EXPLOITATION OF XXE VULNERABILITY:
Use information disclosed in error messages to determine at what file path the XML parser is parsing. Cause errors to occur using malformed XML.
Let us consider a test website (here I’m using OWASP Mutillidae application)
1. In below image, the application has an XML parser input page,
2. Let’s try giving some XML inputs and check the response from the server.
3. After that, we can try to inject XML inputs with multiple user-defined entities
4. Now we can try to include external data using <!Entity> section of XML input. The <!ENTITY> section of an XML document optionally defines external files to be included as part of the XML document. Interestingly these can even be files from the system parsing the XML.
We can use the <!ENTITY> section of XML input, we can try to access local files like /etc/ passwd files of a Linux server.
5. Once we have given the above XML payload, we can get the password files details from back-end Linux server.
6. Similarly, we can try to load the boot.ini files if the server is windows operating system, using an XML payload like below
<?xml version="1.0"?> <!DOCTYPE change-log [ <!ENTITY systemEntity SYSTEM "../../../../boot.ini"> ]> <change-log> <text>&systemEntity;</text> </change-log>
MITIGATIONS FOR XXE INJECTION ATTACKS:
1. XML parser functions like unmarshaller should have a secure configuration to prevent allowing external entities as part of an incoming XML document input.
2.XML inputs should not be processed directly as java.io.File, java.io.inputstream.
References:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
https://stackoverflow.com/questions/40649152/how-to-prevent-xxe-attack
https://stackoverflow.com/questions/40649152/how-to-prevent-xxe-attack
Dawood Ansar
Security Engineer
BriskInfosec Technology and consulting PVT LTD
Find me @https://www.linkedin.com/in/dawood-ansar-29403213b/
Posts
