xxe xml external entity

Web Application Security - Team bi0s © 2017

XXE XML External Entity

25 February 2017

@Team bi0s 1/25

HEERAJBtech, Third Year, Computer Science EngineeringAmrita University

http://blog.0daylabs.com/

http://twitter.com/0daylabs



whoami

Web Application Security - Team bi0s © 2017 @Team bi0s

➔ Undergraduate Student @ Amrita

➔ Web Security Enthusiast

➔ CTF{flag_seeker}

➔ @heerajnair

➔ ww.i4info.in

2/25


http://twitter.com/forbiddensec


Agenda


➔ Intro to XML & DTD

➔ XML Entity

➔ Parsing XML

➔ Attack Vectors

➔ Demo

3/25




XML


➔EXtensible Markup Language

4/25

Picture:123RF.COM




Where it is used ?


➔ Document Formats

➔ Image Formats

➔ Configuration Files

➔ Network Protocols

➔ RSS Feeds … etc . . .

5/25

Picture: c-sharpcorner.com




Document Type Definition


➔ References an ExternalDTD

➔ Define structure with the list of legal elements

6/25




XML Entity


➔ Entities help to reduce the entry of repetitive information

Output:Writer: Donald Duck. Copyright: bi0s.

7/25




XML Entity


XML Entity

Internal Entity External Entity

8/25




Parsing


➔ Character other than < , > , & , ‘ , “ all are parsable.

➔ PCDATA is text that will be parsed by a parser. ➔ CDATA is text that will not be parsed by a parser.

◆ Ex : <![CDATA[<data>Hello, world!]]>

9/25




Attack’s Possible


➔ Denial Of Service

➔ Local File Inclusion

➔ SSRF

➔ Internal scans

➔ Rce (Not Always!!!)

10/25




Billion Laughs Attack


➔ Works by expansion property (Simple code(<1kb) will expand up to 3 gigabytes of memory.

11/25

Website: digitalimprint.com




Attack Vectors


Classic XXEWe can view any file which doesn’t contain < , > , & , ‘ , “ as characters.

12/25




Avinash S

Here they used the power/image_size as it is simple to test. But showing this as the first example of XXE can be confusing as many people might not even know what is the purpose of this file. Replace it with the example of etc/passwd (e.g., see #4 of https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE.pdf).

OFFICE OPEN XML


➔ Zip archive file containing XML and media files

➔ *.docx , *.xlsx , *.pptx

➔ Developed by Microsoft

14/25




OFFICE OPEN XML


15/25




OFFICE OPEN XML


➔ Files in OOXML◆ /_rels/.rels◆ [Content_Types].xml◆ Default Main Document

● /word/document.xml● /ppt/presentation.xml● /xl/workbook.xml

16/25




Direct Feedback Channel


What if you are Reading

Some configuration files?

17/25




Different Protocols

Web Application Security - Team bi0s © 2017 @Team bi0s 18/25

php://filter/convert.base64-encode/resource=/etc/passwd






➔ CDATA very helpful to read web configuration, which contain non parsable characters.

But this won’t work !!

19/25




Heeraj Nair

change pic, with fstab

Avinash S

You really want to show spelling mistake of end?



1. XML Request

2. Get th

e DTD

3. Info Back

Parsing

Attacker’s Server

Host






➔ We have to use Parameter entities

➢ Parameter.dtd

21/25




Out Of Band Channel


1. XML Request

2. Get th

e DTD

3. Info Back Parsing

4.GET? data=root:x:0:0:root:

Attacker’s Server

Host




Out Of Band Channel


➔ No Direct Feedback Channel

23/25




Demo


XXE Cheat Sheet: http://web-in-security.blogspot.in/2016/03/xxe-cheat-sheet.html

24/25




http://web-in-security.blogspot.in/2016/03/xxe-cheat-sheet.html

Solution


➢ Validation of user input➢ Turn off external DTD fetching ➢ Disable External Entity Parsing

libxml_disable_entity_loader(true);(PHP)

25/25




Playing With Content Type


➔ Server may accept multiple data formats

➔ Results in Json endpoints may be vulnerable to XXE

➔ Content-Type changed to application/xml

➔ JSON has to be converted to XML

27/25




OFFICE OPEN XML


28/25

Open XML File Container

Document Properties

Custom Defined XML

CommentsWordML/

SpreadsheetML etc

Embedded Code/Macros

Images, Video, Sound Files

Charts




xxe xml external entity

Internet