Web Application Security - Team bi0s © 2017
XXE XML External Entity
25 February 2017
@Team bi0s 1/25
HEERAJBtech, Third Year, Computer Science EngineeringAmrita University
whoami
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ Undergraduate Student @ Amrita
➔ Web Security Enthusiast
➔ CTF{flag_seeker}
➔ @HRJ
➔ ww.i4info.in
2/25
Agenda
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ Intro to XML & DTD
➔ XML Entity
➔ Parsing XML
➔ Attacks Vector
➔ Demo
3/25
XML
Web Application Security - Team bi0s © 2017 @Team bi0s
➔EXtensible Markup Language
4/25
Picture:123RF.COM
Where it is used ?
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ Document Formats
➔ Image Formats
➔ Configuration Files
➔ Network Protocols
➔ RSS Feeds … etc . . .
5/25
Picture: c-sharpcorner.com
Document Type Definition
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ References an ExternalDTD
➔ Define structure with the list of legal elements
6/25
XML Entity
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ Entities help to reduce the entry of repetitive information and also allow for easier editing
Output:Writer: Donald Duck. Copyright: bi0s.
7/25
XML Entity
Web Application Security - Team bi0s © 2017 @Team bi0s
XML Entity
Internal Entity External Entity
8/25
Parsing
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ Character other than < , > , & , ‘ , “ all are parsable.
➔ PCDATA is text that will be parsed by a parser. Tags inside the text will be treated as markup and entities will be expanded.
➔ CDATA is text that will not be parsed by a parser.
9/25
Attack’s Possible
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ LFI
➔ SSRF
➔ Internal scans
➔ Denial of Service
➔ Rce (Not Always!!!)
10/25
Attack Vectors
Web Application Security - Team bi0s © 2017 @Team bi0s
Classic XXEWe can view any file which doesn’t contain < , > , & , ‘ , “ as characters.
11/25
12
Direct Feedback Channel
Web Application Security - Team bi0s © 2017 @Team bi0s
What if you are Reading
Some configuration files?
13
Direct Feedback Channel
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ CDATA very helpful to read web configuration, which contain non parsable characters.
But this won’t work !!
14/25
Direct Feedback Channel
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ We have to use Parameter entities
➢ Parameter.dtd
15/25
Out Of Band Channel
Web Application Security - Team bi0s © 2017 @Team bi0s 16/25
Out Of Band Channel
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ No Direct Feedback Channel
17/25
Website: http://web-in-security.blogspot.in/2016/03/xxe-cheat-sheet.html
Billion Laughs Attack (Simple Denial of Service)
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ Works by expansion property (Simple code(<1kb) will expand up to 3 gigabytes of memory.
18/25
Different Protocols
Web Application Security - Team bi0s © 2017 @Team bi0s 19/25
OFFICE OPEN XML
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ Zip archive file containing XML and media files
➔ *.docx , *.xlsx , *.pptx
➔ Developed by Microsoft
20/25
OFFICE OPEN XML
Web Application Security - Team bi0s © 2017 @Team bi0s
21/25
Open XML File Container
Document Properties
Custom Defined XML
CommentsWordML/
SpreadsheetML etc
Embedded Code/Macros
Images, Video, Sound Files
Charts
OFFICE OPEN XML
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ General Parsing XML◆ /_rels/.rels◆ [Content_Types].xml◆ Default Main Document
● /word/document.xml● /ppt/presentation.xml● /xl/workbook.xml
22/25
Playing With Content Type
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ Server may accept multiple data formats
➔ Results in Json endpoints may be vulnerable to XXE
➔ Content-Type changed to application/xml
➔ JSON has to be converted to XML
23/25
Demo
Web Application Security - Team bi0s © 2017 @Team bi0s
24/25
Solution
Web Application Security - Team bi0s © 2017 @Team bi0s
➢ Don’t reflect the XML back to user➢ Turn off external DTD fetching ➢ Turn off DTD➢ Disable External Entity Parsing
libxml_disable_entity_loader(true);(PHP)
25/25
Top Related