xxe - xml external entity attack

Web Application Security - Team bi0s © 2017

XXE XML External Entity

25 February 2017

@Team bi0s 1/25

HEERAJBtech, Third Year, Computer Science EngineeringAmrita University

http://blog.0daylabs.com/

http://twitter.com/0daylabs



whoami

Web Application Security - Team bi0s © 2017 @Team bi0s

➔ Undergraduate Student @ Amrita

➔ Web Security Enthusiast

➔ CTF{flag_seeker}

➔ @HRJ

➔ ww.i4info.in

2/25


http://twitter.com/forbiddensec


Agenda


➔ Intro to XML & DTD

➔ XML Entity

➔ Parsing XML

➔ Attacks Vector

➔ Demo

3/25




XML


➔EXtensible Markup Language

4/25

Picture:123RF.COM




Where it is used ?


➔ Document Formats

➔ Image Formats

➔ Configuration Files

➔ Network Protocols

➔ RSS Feeds … etc . . .

5/25

Picture: c-sharpcorner.com




Document Type Definition


➔ References an ExternalDTD

➔ Define structure with the list of legal elements

6/25




XML Entity


➔ Entities help to reduce the entry of repetitive information and also allow for easier editing

Output:Writer: Donald Duck. Copyright: bi0s.

7/25




XML Entity


XML Entity

Internal Entity External Entity

8/25




Parsing


➔ Character other than < , > , & , ‘ , “ all are parsable.

➔ PCDATA is text that will be parsed by a parser. Tags inside the text will be treated as markup and entities will be expanded.

➔ CDATA is text that will not be parsed by a parser.

9/25




Attack’s Possible


➔ LFI

➔ SSRF

➔ Internal scans

➔ Denial of Service

➔ Rce (Not Always!!!)

10/25




Attack Vectors


Classic XXEWe can view any file which doesn’t contain < , > , & , ‘ , “ as characters.

11/25




Avinash S

Here they used the power/image_size as it is simple to test. But showing this as the first example of XXE can be confusing as many people might not even know what is the purpose of this file. Replace it with the example of etc/passwd (e.g., see #4 of https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE.pdf).

Direct Feedback Channel


What if you are Reading

Some configuration files?

13






➔ CDATA very helpful to read web configuration, which contain non parsable characters.

But this won’t work !!

14/25




Avinash S

You really want to show spelling mistake of end?



➔ We have to use Parameter entities

➢ Parameter.dtd

15/25




Out Of Band Channel

Web Application Security - Team bi0s © 2017 @Team bi0s 16/25




Out Of Band Channel


➔ No Direct Feedback Channel

17/25

Website: http://web-in-security.blogspot.in/2016/03/xxe-cheat-sheet.html




Avinash S

Cite Christian's and Vladislav's blog post here and wherever you used screenshots from that post. I know them quite well and they are very conscious about other people citing their work.

Billion Laughs Attack (Simple Denial of Service)


➔ Works by expansion property (Simple code(<1kb) will expand up to 3 gigabytes of memory.

18/25




OFFICE OPEN XML


➔ Zip archive file containing XML and media files

➔ *.docx , *.xlsx , *.pptx

➔ Developed by Microsoft

20/25




OFFICE OPEN XML


21/25

Open XML File Container

Document Properties

Custom Defined XML

CommentsWordML/

SpreadsheetML etc

Embedded Code/Macros

Images, Video, Sound Files

Charts




OFFICE OPEN XML


➔ General Parsing XML◆ /_rels/.rels◆ [Content_Types].xml◆ Default Main Document

● /word/document.xml● /ppt/presentation.xml● /xl/workbook.xml

22/25




Playing With Content Type


➔ Server may accept multiple data formats

➔ Results in Json endpoints may be vulnerable to XXE

➔ Content-Type changed to application/xml

➔ JSON has to be converted to XML

23/25




Demo


24/25




Solution


➢ Don’t reflect the XML back to user➢ Turn off external DTD fetching ➢ Turn off DTD➢ Disable External Entity Parsing

libxml_disable_entity_loader(true);(PHP)

25/25




xxe - xml external entity attack

Software