XXE - XML External Entity Attack
-
Upload
cysinfo-cyber-security-community -
Category
Software
-
view
317 -
download
12
Transcript of XXE - XML External Entity Attack
![Page 1: XXE - XML External Entity Attack](https://reader034.fdocuments.net/reader034/viewer/2022050702/58ed46281a28ab47388b45a9/html5/thumbnails/1.jpg)
Web Application Security - Team bi0s © 2017
XXE XML External Entity
25 February 2017
@Team bi0s 1/25
HEERAJBtech, Third Year, Computer Science EngineeringAmrita University
![Page 2: XXE - XML External Entity Attack](https://reader034.fdocuments.net/reader034/viewer/2022050702/58ed46281a28ab47388b45a9/html5/thumbnails/2.jpg)
whoami
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ Undergraduate Student @ Amrita
➔ Web Security Enthusiast
➔ CTF{flag_seeker}
➔ @HRJ
➔ ww.i4info.in
2/25
![Page 3: XXE - XML External Entity Attack](https://reader034.fdocuments.net/reader034/viewer/2022050702/58ed46281a28ab47388b45a9/html5/thumbnails/3.jpg)
Agenda
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ Intro to XML & DTD
➔ XML Entity
➔ Parsing XML
➔ Attacks Vector
➔ Demo
3/25
![Page 4: XXE - XML External Entity Attack](https://reader034.fdocuments.net/reader034/viewer/2022050702/58ed46281a28ab47388b45a9/html5/thumbnails/4.jpg)
XML
Web Application Security - Team bi0s © 2017 @Team bi0s
➔EXtensible Markup Language
4/25
Picture:123RF.COM
![Page 5: XXE - XML External Entity Attack](https://reader034.fdocuments.net/reader034/viewer/2022050702/58ed46281a28ab47388b45a9/html5/thumbnails/5.jpg)
Where it is used ?
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ Document Formats
➔ Image Formats
➔ Configuration Files
➔ Network Protocols
➔ RSS Feeds … etc . . .
5/25
Picture: c-sharpcorner.com
![Page 6: XXE - XML External Entity Attack](https://reader034.fdocuments.net/reader034/viewer/2022050702/58ed46281a28ab47388b45a9/html5/thumbnails/6.jpg)
Document Type Definition
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ References an ExternalDTD
➔ Define structure with the list of legal elements
6/25
![Page 7: XXE - XML External Entity Attack](https://reader034.fdocuments.net/reader034/viewer/2022050702/58ed46281a28ab47388b45a9/html5/thumbnails/7.jpg)
XML Entity
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ Entities help to reduce the entry of repetitive information and also allow for easier editing
Output:Writer: Donald Duck. Copyright: bi0s.
7/25
![Page 8: XXE - XML External Entity Attack](https://reader034.fdocuments.net/reader034/viewer/2022050702/58ed46281a28ab47388b45a9/html5/thumbnails/8.jpg)
XML Entity
Web Application Security - Team bi0s © 2017 @Team bi0s
XML Entity
Internal Entity External Entity
8/25
![Page 9: XXE - XML External Entity Attack](https://reader034.fdocuments.net/reader034/viewer/2022050702/58ed46281a28ab47388b45a9/html5/thumbnails/9.jpg)
Parsing
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ Character other than < , > , & , ‘ , “ all are parsable.
➔ PCDATA is text that will be parsed by a parser. Tags inside the text will be treated as markup and entities will be expanded.
➔ CDATA is text that will not be parsed by a parser.
9/25
![Page 10: XXE - XML External Entity Attack](https://reader034.fdocuments.net/reader034/viewer/2022050702/58ed46281a28ab47388b45a9/html5/thumbnails/10.jpg)
Attack’s Possible
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ LFI
➔ SSRF
➔ Internal scans
➔ Denial of Service
➔ Rce (Not Always!!!)
10/25
![Page 11: XXE - XML External Entity Attack](https://reader034.fdocuments.net/reader034/viewer/2022050702/58ed46281a28ab47388b45a9/html5/thumbnails/11.jpg)
Attack Vectors
Web Application Security - Team bi0s © 2017 @Team bi0s
Classic XXEWe can view any file which doesn’t contain < , > , & , ‘ , “ as characters.
11/25
![Page 12: XXE - XML External Entity Attack](https://reader034.fdocuments.net/reader034/viewer/2022050702/58ed46281a28ab47388b45a9/html5/thumbnails/12.jpg)
12
![Page 13: XXE - XML External Entity Attack](https://reader034.fdocuments.net/reader034/viewer/2022050702/58ed46281a28ab47388b45a9/html5/thumbnails/13.jpg)
Direct Feedback Channel
Web Application Security - Team bi0s © 2017 @Team bi0s
What if you are Reading
Some configuration files?
13
![Page 14: XXE - XML External Entity Attack](https://reader034.fdocuments.net/reader034/viewer/2022050702/58ed46281a28ab47388b45a9/html5/thumbnails/14.jpg)
Direct Feedback Channel
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ CDATA very helpful to read web configuration, which contain non parsable characters.
But this won’t work !!
14/25
![Page 15: XXE - XML External Entity Attack](https://reader034.fdocuments.net/reader034/viewer/2022050702/58ed46281a28ab47388b45a9/html5/thumbnails/15.jpg)
Direct Feedback Channel
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ We have to use Parameter entities
➢ Parameter.dtd
15/25
![Page 16: XXE - XML External Entity Attack](https://reader034.fdocuments.net/reader034/viewer/2022050702/58ed46281a28ab47388b45a9/html5/thumbnails/16.jpg)
Out Of Band Channel
Web Application Security - Team bi0s © 2017 @Team bi0s 16/25
![Page 17: XXE - XML External Entity Attack](https://reader034.fdocuments.net/reader034/viewer/2022050702/58ed46281a28ab47388b45a9/html5/thumbnails/17.jpg)
Out Of Band Channel
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ No Direct Feedback Channel
17/25
Website: http://web-in-security.blogspot.in/2016/03/xxe-cheat-sheet.html
![Page 18: XXE - XML External Entity Attack](https://reader034.fdocuments.net/reader034/viewer/2022050702/58ed46281a28ab47388b45a9/html5/thumbnails/18.jpg)
Billion Laughs Attack (Simple Denial of Service)
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ Works by expansion property (Simple code(<1kb) will expand up to 3 gigabytes of memory.
18/25
![Page 19: XXE - XML External Entity Attack](https://reader034.fdocuments.net/reader034/viewer/2022050702/58ed46281a28ab47388b45a9/html5/thumbnails/19.jpg)
Different Protocols
Web Application Security - Team bi0s © 2017 @Team bi0s 19/25
![Page 20: XXE - XML External Entity Attack](https://reader034.fdocuments.net/reader034/viewer/2022050702/58ed46281a28ab47388b45a9/html5/thumbnails/20.jpg)
OFFICE OPEN XML
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ Zip archive file containing XML and media files
➔ *.docx , *.xlsx , *.pptx
➔ Developed by Microsoft
20/25
![Page 21: XXE - XML External Entity Attack](https://reader034.fdocuments.net/reader034/viewer/2022050702/58ed46281a28ab47388b45a9/html5/thumbnails/21.jpg)
OFFICE OPEN XML
Web Application Security - Team bi0s © 2017 @Team bi0s
21/25
Open XML File Container
Document Properties
Custom Defined XML
CommentsWordML/
SpreadsheetML etc
Embedded Code/Macros
Images, Video, Sound Files
Charts
![Page 22: XXE - XML External Entity Attack](https://reader034.fdocuments.net/reader034/viewer/2022050702/58ed46281a28ab47388b45a9/html5/thumbnails/22.jpg)
OFFICE OPEN XML
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ General Parsing XML◆ /_rels/.rels◆ [Content_Types].xml◆ Default Main Document
● /word/document.xml● /ppt/presentation.xml● /xl/workbook.xml
22/25
![Page 23: XXE - XML External Entity Attack](https://reader034.fdocuments.net/reader034/viewer/2022050702/58ed46281a28ab47388b45a9/html5/thumbnails/23.jpg)
Playing With Content Type
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ Server may accept multiple data formats
➔ Results in Json endpoints may be vulnerable to XXE
➔ Content-Type changed to application/xml
➔ JSON has to be converted to XML
23/25
![Page 24: XXE - XML External Entity Attack](https://reader034.fdocuments.net/reader034/viewer/2022050702/58ed46281a28ab47388b45a9/html5/thumbnails/24.jpg)
Demo
Web Application Security - Team bi0s © 2017 @Team bi0s
24/25
![Page 25: XXE - XML External Entity Attack](https://reader034.fdocuments.net/reader034/viewer/2022050702/58ed46281a28ab47388b45a9/html5/thumbnails/25.jpg)
Solution
Web Application Security - Team bi0s © 2017 @Team bi0s
➢ Don’t reflect the XML back to user➢ Turn off external DTD fetching ➢ Turn off DTD➢ Disable External Entity Parsing
libxml_disable_entity_loader(true);(PHP)
25/25