According to OWASP, an XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.
If a parser accepts unsanitized XML, we can take advantage of that and send our own crafted external XML payload to exploit our target. This post won’t be long so let’s get into it.
To show you how this attack works we will be using bWAPP, this is an intentionally vulnerable application and you can download and run it from here.
Once you have the VM installed, go to the XML External Entity Attacks module and set the security level to low, as we have in the image above.
So as we can see above we have the option to “reset your secret” and a button. Before you click on the button we will just want to intercept the packet before it goes to the server and inspect it for ourselves. To do this you will need Burp set up as an intercepting proxy. You can download Burpsuite from here.
Once you have Burp set up, click on the button in the application and let’s see what we get in the intercepted packet.
As we can see at the bottom, this application does in fact accept unsanitized XML. So let’s right click in the Burpsuite window and choose ‘Send to Repeater’.
Next, choose the repeater tab in the Burp application.
Now that we have our request in the repeater, we can now manipulate the packet and see what the results are. So let’s add our own external entity XML tags.
It’s a simple request for us to enter the file system of the server and display for us the contents of the /etc/passwd file. So let’s send that an inspect the response in our Response pane in the Repeater.
We got back a 200 OK response and the contents of the folder we requested. This is how we exploit XML External entities.
The safest way to prevent XXE is always to disable DTDs (External Entities) completely. Depending on the parser, the method should be similar to the following:
Disabling DTDs also makes the parser secure against denial of services (DOS) attacks such as Billion Laughs. If it is not possible to disable DTDs completely, then external entities and external document type declarations must be disabled in the way that’s specific to each parser.
Thanks for reading and be sure to subscribe and come back for more hacking tutorials.