XML External Entity (XXE) Vulnerability

According to OWASP, an XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

If a parser accepts unsanitized XML, we can take advantage of that and send our own crafted external XML payload to exploit our target. This post won’t be long so let’s get into it.

$199 ENROLLS YOU INTO OUR SELF PACED COURSE – LFS264 – OPNFV FUNDAMENTALS!

To show you how this attack works we will be using bWAPP, this is an intentionally vulnerable application and you can download and run it from here.

xxe1.PNG

Once you have the VM installed, go to the XML External Entity Attacks module and set the security level to low, as we have in the image above.

So as we can see above we have the option to “reset your secret” and a button. Before you click on the button we will just want to intercept the packet before it goes to the server and inspect it for ourselves. To do this you will need Burp set up as an intercepting proxy. You can download Burpsuite from here.

ENROLL TODAY IN THE SELF PACED COURSE – LFS263 – ONAP FUNDAMENTALS FOR $199!

Once you have Burp set up, click on the button in the application and let’s see what we get in the intercepted packet.

xxe2

As we can see at the bottom, this application does in fact accept unsanitized XML. So let’s right click in the Burpsuite window and choose ‘Send to Repeater’.

xxe3

Next, choose the repeater tab in the Burp application.

xxe4

Now that we have our request in the repeater, we can now manipulate the packet and see what the results are. So let’s add our own external entity XML tags.

$299 REGISTERS YOU FOR OUR NEWEST SELF PACED COURSE! LFD201 – INTRODUCTION TO OPEN SOURCE DEVELOPMENT, GIT, AND LINUX!

xxe5

It’s a simple request for us to enter the file system of the server and display for us the contents of the /etc/passwd file. So let’s send that an inspect the response in our Response pane in the Repeater.

xxe6.PNG

We got back a 200 OK response and the contents of the folder we requested. This is how we exploit XML External entities.

REGISTER TODAY FOR YOUR KUBERNETES FOR DEVELOPERS (LFD259) COURSE AND CKAD CERTIFICATION TODAY! $499!    $299 now!!

Prevention

The safest way to prevent XXE is always to disable DTDs (External Entities) completely. Depending on the parser, the method should be similar to the following:

factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

Disabling DTDs also makes the parser secure against denial of services (DOS) attacks such as Billion Laughs. If it is not possible to disable DTDs completely, then external entities and external document type declarations must be disabled in the way that’s specific to each parser.

Thanks for reading and be sure to subscribe and come back for more hacking tutorials.

QuBits 2019-10-14

banner2

 

1 Comment

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.