xxe xml external entity

Web Application Security - Team bi0s © 2017

XXE XML External Entity

25 February 2017

@Team bi0s 1/25

HEERAJBtech, Third Year, Computer Science EngineeringAmrita University

whoami

Web Application Security - Team bi0s © 2017 @Team bi0s

➔ Undergraduate Student @ Amrita

➔ Web Security Enthusiast

➔ CTF{flag_seeker}

➔ @heerajnair

➔ ww.i4info.in

2/25

Agenda

Web Application Security - Team bi0s © 2017 @Team bi0s

➔ Intro to XML & DTD

➔ XML Entity

➔ Parsing XML

➔ Attack Vectors

➔ Demo

3/25

XML

Web Application Security - Team bi0s © 2017 @Team bi0s

➔EXtensible Markup Language

4/25

Picture:123RF.COM

Where it is used ?

Web Application Security - Team bi0s © 2017 @Team bi0s

➔ Document Formats

➔ Image Formats

➔ Configuration Files

➔ Network Protocols

➔ RSS Feeds … etc . . .

5/25

Picture: c-sharpcorner.com

Document Type Definition

Web Application Security - Team bi0s © 2017 @Team bi0s

➔ References an ExternalDTD

➔ Define structure with the list of legal elements

6/25

XML Entity

Web Application Security - Team bi0s © 2017 @Team bi0s

➔ Entities help to reduce the entry of repetitive information

Output:Writer: Donald Duck. Copyright: bi0s.

7/25

XML Entity

Web Application Security - Team bi0s © 2017 @Team bi0s

XML Entity

Internal Entity External Entity

8/25

Parsing

Web Application Security - Team bi0s © 2017 @Team bi0s

➔ Character other than < , > , & , ‘ , “ all are parsable.

➔ PCDATA is text that will be parsed by a parser. ➔ CDATA is text that will not be parsed by a parser.

◆ Ex : <![CDATA[<data>Hello, world!]]>

9/25

Attack’s Possible

Web Application Security - Team bi0s © 2017 @Team bi0s

➔ Denial Of Service

➔ Local File Inclusion

➔ SSRF

➔ Internal scans

➔ Rce (Not Always!!!)

10/25

Billion Laughs Attack

Web Application Security - Team bi0s © 2017 @Team bi0s

➔ Works by expansion property (Simple code(<1kb) will expand up to 3 gigabytes of memory.

11/25

Website: digitalimprint.com

Attack Vectors

Web Application Security - Team bi0s © 2017 @Team bi0s

Classic XXEWe can view any file which doesn’t contain < , > , & , ‘ , “ as characters.

12/25

13

OFFICE OPEN XML

Web Application Security - Team bi0s © 2017 @Team bi0s

➔ Zip archive file containing XML and media files

➔ *.docx , *.xlsx , *.pptx

➔ Developed by Microsoft

14/25

OFFICE OPEN XML

Web Application Security - Team bi0s © 2017 @Team bi0s

15/25

OFFICE OPEN XML

Web Application Security - Team bi0s © 2017 @Team bi0s

➔ Files in OOXML◆ /_rels/.rels◆ [Content_Types].xml◆ Default Main Document

● /word/document.xml● /ppt/presentation.xml● /xl/workbook.xml

16/25

Direct Feedback Channel

Web Application Security - Team bi0s © 2017 @Team bi0s

What if you are Reading

Some configuration files?

17/25

Different Protocols

Web Application Security - Team bi0s © 2017 @Team bi0s 18/25

php://filter/convert.base64-encode/resource=/etc/passwd

Direct Feedback Channel

Web Application Security - Team bi0s © 2017 @Team bi0s

➔ CDATA very helpful to read web configuration, which contain non parsable characters.

But this won’t work !!

19/25

Direct Feedback Channel

Web Application Security - Team bi0s © 2017 @Team bi0s 20/25

1. XML Request

2. Get th

e DTD

3. Info Back

Parsing

Attacker’s Server

Host

Direct Feedback Channel

Web Application Security - Team bi0s © 2017 @Team bi0s

➔ We have to use Parameter entities

➢ Parameter.dtd

21/25

Out Of Band Channel

Web Application Security - Team bi0s © 2017 @Team bi0s 22/25

1. XML Request

2. Get th

e DTD

3. Info Back Parsing

4.GET? data=root:x:0:0:root:

Attacker’s Server

Host

Out Of Band Channel

Web Application Security - Team bi0s © 2017 @Team bi0s

➔ No Direct Feedback Channel

23/25

Demo

Web Application Security - Team bi0s © 2017 @Team bi0s

XXE Cheat Sheet: http://web-in-security.blogspot.in/2016/03/xxe-cheat-sheet.html

24/25

Solution

Web Application Security - Team bi0s © 2017 @Team bi0s

➢ Validation of user input➢ Turn off external DTD fetching ➢ Disable External Entity Parsing

libxml_disable_entity_loader(true);(PHP)

25/25

26

Playing With Content Type

Web Application Security - Team bi0s © 2017 @Team bi0s

➔ Server may accept multiple data formats

➔ Results in Json endpoints may be vulnerable to XXE

➔ Content-Type changed to application/xml

➔ JSON has to be converted to XML

27/25

OFFICE OPEN XML

Web Application Security - Team bi0s © 2017 @Team bi0s

28/25

Open XML File Container

Document Properties

Custom Defined XML

CommentsWordML/

SpreadsheetML etc

Embedded Code/Macros

Images, Video, Sound Files

Charts