Learn XXE by doing hands-on challenges
5.5 هزار بار بازدید -
5 سال پیش
-
Hello and welcome to this
Hello and welcome to this OWASP Top 10 training series. Today, you will practice XXE injection on OWASP WebGoat. By the end of this tutorial, you will achieve the following goals:
- Exploit XXE to Read internal files from the vulnerable server.
- Pivot from XXE to SSRF
- Exploit a Blind XXE
- XXE billion laughs attack
=================
XXE theory blog post: https://thehackerish.com/xxe-explaine...
XXE practice tutorial: https://thehackerish.com/xxe-tutorial...
Follow us on Twitter: Twitter: thehackerish
Facebook Page: Facebook: thehackerish
STOK video about XXE: Video
================
Before understanding XXE, you need to know some key concepts which will help you properly understand the XXE attack.
XML stands for Extensible Markup Language. It defines how a document should be structured for data exchange. XML is used to exchange data between systems. For example, when you subscribe to an RSS feed, your client software consumes XML documents containing the News and displays them in a feed. Another example is SOAP, which uses XML to exchange data in web services.
In order for an application to manipulate XML documents, it uses an XML parser, which converts the text representation, sent over the network, into an XML DOM (Document Object Model) ready to be consumed by the application.
Sometimes, when exchanging XML documents, developers need to enforce the data elements, attributes and value types, etc. This can be done using a document type definition (DTD). This will come handy when exploiting XXE.
XML Entities provide a way to represent data within an XML document. Think of it as a variable holding your data, which you can reference in many places. They are defined inside a DTD.
Sometimes, XML external entities cannot be used for reasons we will explore shortly. In this case, you can use Parameter Entities. They are special entities which can be referenced inside a DTD.
XXE injection happens when an application trusts user input in an XML document.
When the server doesn’t return a direct feedback to the user upon an XML injection, we call it a blind XXE vulnerability. You may wonder how we would exploit it if there is no feedback? Well, the same concept we learned in the Injection vulnerability can be applied here: Abusing the interpreter to make a call to us. The easiest way to detect a Blind XXE is to use a URL pointing to our server in the XML external entity.
Sometimes, even if there is a Blind XXE vulnerability and the HTTP traffic is allowed outbound, you will not receive a ping from the vulnerable server. In this case, you can use parameter entities instead of external entities. You might get lucky if XML external entities are blocked. This is especially useful when you don’t have an XML field where to reference the XML external entity.
Once you validate it, you can start testing for the XXE vulnerability. There are many scenarios depending on the situation, but they all fall into the out-of-band category.
Sometimes, you can’t retrieve multi-line files because it doesn’t result in a valid URL. Therefore, you can use an FTP server to receive incoming requests.
You can easily set up an FTP server using xxeserv. If you don’t have a publicly accessible server, you can use ngrok to expose a local VM to the internet.
All the scenarios we described so far require you to host a malicious dtd file on your server. However, what to do if there is a firewall denying all egress traffic?
In his write up, Arseniy Sharoglazov introduced a new technique. Basically, the idea is to reuse an already existing DTD and redefine a parameter entity inside it. Why not just including the external DTD inside the internal one, you might ask? Well, in XML, you can’t use nested entities in internal DTDs.
File uploads can be vulnerable to XXE if the application parses XML files. A typical file type which uses XML is SVG.
You can do more than just exfiltrating internal files. Depending on the context, an XXE vulnerability can lead to many outcomes.
- Exploit XXE to Read internal files from the vulnerable server.
- Pivot from XXE to SSRF
- Exploit a Blind XXE
- XXE billion laughs attack
=================
XXE theory blog post: https://thehackerish.com/xxe-explaine...
XXE practice tutorial: https://thehackerish.com/xxe-tutorial...
Follow us on Twitter: Twitter: thehackerish
Facebook Page: Facebook: thehackerish
STOK video about XXE: Video
================
Before understanding XXE, you need to know some key concepts which will help you properly understand the XXE attack.
XML stands for Extensible Markup Language. It defines how a document should be structured for data exchange. XML is used to exchange data between systems. For example, when you subscribe to an RSS feed, your client software consumes XML documents containing the News and displays them in a feed. Another example is SOAP, which uses XML to exchange data in web services.
In order for an application to manipulate XML documents, it uses an XML parser, which converts the text representation, sent over the network, into an XML DOM (Document Object Model) ready to be consumed by the application.
Sometimes, when exchanging XML documents, developers need to enforce the data elements, attributes and value types, etc. This can be done using a document type definition (DTD). This will come handy when exploiting XXE.
XML Entities provide a way to represent data within an XML document. Think of it as a variable holding your data, which you can reference in many places. They are defined inside a DTD.
Sometimes, XML external entities cannot be used for reasons we will explore shortly. In this case, you can use Parameter Entities. They are special entities which can be referenced inside a DTD.
XXE injection happens when an application trusts user input in an XML document.
When the server doesn’t return a direct feedback to the user upon an XML injection, we call it a blind XXE vulnerability. You may wonder how we would exploit it if there is no feedback? Well, the same concept we learned in the Injection vulnerability can be applied here: Abusing the interpreter to make a call to us. The easiest way to detect a Blind XXE is to use a URL pointing to our server in the XML external entity.
Sometimes, even if there is a Blind XXE vulnerability and the HTTP traffic is allowed outbound, you will not receive a ping from the vulnerable server. In this case, you can use parameter entities instead of external entities. You might get lucky if XML external entities are blocked. This is especially useful when you don’t have an XML field where to reference the XML external entity.
Once you validate it, you can start testing for the XXE vulnerability. There are many scenarios depending on the situation, but they all fall into the out-of-band category.
Sometimes, you can’t retrieve multi-line files because it doesn’t result in a valid URL. Therefore, you can use an FTP server to receive incoming requests.
You can easily set up an FTP server using xxeserv. If you don’t have a publicly accessible server, you can use ngrok to expose a local VM to the internet.
All the scenarios we described so far require you to host a malicious dtd file on your server. However, what to do if there is a firewall denying all egress traffic?
In his write up, Arseniy Sharoglazov introduced a new technique. Basically, the idea is to reuse an already existing DTD and redefine a parameter entity inside it. Why not just including the external DTD inside the internal one, you might ask? Well, in XML, you can’t use nested entities in internal DTDs.
File uploads can be vulnerable to XXE if the application parses XML files. A typical file type which uses XML is SVG.
You can do more than just exfiltrating internal files. Depending on the context, an XXE vulnerability can lead to many outcomes.
5 سال پیش
در تاریخ 1398/11/14 منتشر شده
است.
5,554
بـار بازدید شده