Search This Blog

Showing posts with label XXE. Show all posts
Showing posts with label XXE. Show all posts

Thursday, 22 May 2014

XML External Enitity (XXE) Injection

In this post we will look at XXE Injection, a type of XML vulnerability. The XML standard defines a concept of an external entity  XML entities are additional statements that can be added into XML that can tell the parser to pull data from third parties or even from the local file system.

Below is a valid XML document. To construct it we use a DOCTYPE header and gave it a name, then within that header we embed the external entity declaration. All entities begin with a declaration - <!ENTITY, we gave it the name bWAPP and also declare it as type SYSTEM - meaning local file system. This the path to the local system file that we would like to fetch our content from.

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY bWAPP SYSTEM "file:///[file]">
]>


For the demo we will be using bWAPP application.

First navigate to the XXE vulnerable page in bWAPP. In order to send the request to the server you will need to click on the 'Any bugs?' button. 


To view and manipulate the request you will need an intercepting proxy tool e.g. ZaProxy or Burp Suite. After cliking the button and checking the traffic history you will see a simple XML request with two parameters <login>bee</login> and <secret>Any bugs?</secret> .


We can also see in the response that the input 'bee' is being returned in the response. We can then be hopeful that the content we request will also be returned.



To pull the contents back from the external entity we change the value in login parameter to &bWAPP; (note there is no validation here) the variable that stands for the system path. The XML parser should look up the value of the system entity variable bWAPP and substitute the entity declaration for the content of the file.


When we check the response we can see that the robots.txt contents are returned


We can also try to access a sensitive local resource such as /etc/passwd file. The steps will be the same as above only this time as we are calling a local file so we use file:///

Again we can see the file contents are returned in the response.


It is also possible to perform a DoS on the targets XML parser. The attack is known as the Billion Laughs attack or an XML bomb. There are 10 different XML entities lol - lol9 with the document consisting of a single instance of the largest entity, which expands to one billion copies of the first entity.


This exponential growth obviously consumes a lot of resources causing a DoS. More info available on this attack is available here cytinus blog

To find out more about XML and XXE attacks the following links are useful.. XML_Exteral_Entity_Attack.pdf
XML_External_Entity_(XXE)_Processing