Category: Blog note

XXE Attack

What is XXE attack?

An XML External Entity (XXE) attack is a vulnerability that abuses features of XML parsers/data. It often allows an attacker to interact with any backend or external systems that the application itself can access and can allow the attacker to read the file on that system. They can also cause Denial of Service (DoS) attack or could use XXE to perform Server-Side Request Forgery (SSRF) inducing the web application to make requests to other applications. XXE may even enable port scanning and lead to remote code execution

There are two types of XXE attacks: in-band and out-of-band (OOB-XXE).
1) An in-band XXE attack is the one in which the attacker can receive an immediate response to the XXE payload.

2) out-of-band XXE attacks (also called blind XXE), there is no immediate response from the web application and attacker has to reflect the output of their XXE payload to some other file or their own server.

What is the application vulnerable?

Applications and in particular XML-based web services or downstream integrations might be vulnerable to attack if:

  • The application accepts XML directly or XML uploads, especially from untrusted sources, or inserts untrusted data into XML documents, which is then parsed by an XML processor.
  • Any of the XML processors in the application or SOAP based web services has document type definitions (DTDs) enabled. As the exact mechanism for disabling DTD processing varies by processor, it is good practice to consult a reference such as the OWASP Cheat Sheet ‘XXE Prevention’.
  • If your application uses SAML for identity processing within federated security or single sign on (SSO) purposes. SAML uses XML for identity assertions, and may be vulnerable.
  • If the application uses SOAP prior to version 1.2, it is likely susceptible to XXE attacks if XML entities are being passed to the SOAP framework.
  • Being vulnerable to XXE attacks likely means that the application is vulnerable to denial of service attacks including the Billion Laughs attack.

Before we move on to learn about XXE exploitation we’ll have to understand XML properly.

What is XML?

XML (eXtensible Markup Language) is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. It is a markup language used for storing and transporting data.

Why we use XML?

  • XML is platform-independent and programing language independent, thus it can be used on any system and supports the technology change when that happens.
  • The  data stored and transported using XML can be changed at any point in the time without affecting the data presentation.
  • XML allows validation using DTD and Schema. This validation ensures that the XML document is free form any syntax error.
  • XML simplifies data sharing between various systems because of its platform-independent nature. XML data doesn’t require any conversion when transferred between different systems

What are XML entities?

XML entities are a way of representing an item of data within an XML document, instead of using the data itself. Various entities are built in to the specification of the XML language. For example, the entities &lt; and &gt; represent the characters < and >. These are metacharacters used to denote XML tags, and so must generally be represented using their entities when they appear within data.

What is document type definition?

The XML document type definition (DTD) contains declarations that can define the structure of an XML document, the types of data values it can contain, and other items. The DTD is declared within the optional DOCTYPE element at the start of the XML document. The DTD can be fully self-contained within the document itself (known as an “internal DTD”) or can be loaded from elsewhere (known as an “external DTD”) or can be hybrid of the two.

What are XML custom entities?

XML allows custom entities to be defined within the DTD. For example:

<!DOCTYPE foo [ <!ENTITY myentity “my entity value” > ]>

This definition means that any usage of the entity reference &myentity; within the XML document will be replaced with the defined value: “my entity value”.

What are XML external entities?

XML external entities are a type of custom entity whose definition is located outside of the DTD where they are declared.

The declaration of an external entity uses the SYSTEM keyword and must specify a URL from which the value of the entity should be loaded. For example:

<!DOCTYPE foo [ <!ENTITY ext SYSTEM “http://normal-website.com&#8221; > ]>

The URL can use the file:// protocol, and so external entities can be loaded from file. For example:

<!DOCTYPE foo [ <!ENTITY ext SYSTEM “file:///path/to/file” > ]>

XML external entities provide the primary means by which XML external entity attacks arise.

Exploiting XXE

To perform an XXE injection attack that retrieves an arbitrary file from the server’s filesystem, you need to modify the submitted XML in two ways:

  • Introduce (or edit) a DOCTYPE element that defines an external entity containing the path to the file.
  • Edit a data value in the XML that is returned in the application’s response, to make use of the defined external entity.

For example, suppose a shopping application checks for the stock level of a product by submitting the following XML to the server:

<?xml version=”1.0″ encoding=”UTF-8″?>
<userinfor><name>Leiz</name></userinfor>

The application performs no particular defenses against XXE attacks, so you can exploit the XXE vulnerability to retrieve the /etc/passwd file by submitting the following XXE payload:

<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM “file:///etc/passwd”> ]>
<userinfor><name>&xxe;</name></userinfor>

This XXE payload defines an external entity &xxe; whose value is the contents of the /etc/passwd file and uses the entity within the productId value. This causes the application’s response to include the contents of the file:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin

NOTE:

With real-world XXE vulnerabilities, there will often be a large number of data values within the submitted XML, any one of which might be used within the application’s response. To test systematically for XXE vulnerabilities, you will generally need to test each data node in the XML individually, by making use of your defined entity and seeing whether it appears within the response.

How to find and test for XXE vulnerabilities?

The vast majority of XXE vulnerabilities can be found quickly and reliably using Burp Suite’s web vulnerability scanner.

Manually testing for XXE vulnerabilities generally involves:

  • Testing for file retrieval by defining an external entity based on a well-known operating system file and using that entity in data that is returned in the application’s response.
  • Testing for blind XXE vulnerabilities by defining an external entity based on a URL to a system that you control, and monitoring for interactions with that system. Burp Collaborator client is perfect for this purpose.
  • Testing for vulnerable inclusion of user-supplied non-XML data within a server-side XML document by using an XInclude attack to try to retrieve a well-known operating system file.

How to prevent XXE vulnerabilities?

preventing XXE requires:

  • Whenever possible, use less complex data formats such as JSON, and avoiding serialization of sensitive data.
  • Patch or upgrade all XML processors and libraries in use by the application or on the underlying operating system. Use dependency checkers. Update SOAP to SOAP 1.2 or higher.
  • Disable XML external entity and DTD processing in all XML parsers in the application, as per the OWASP Cheat Sheet ‘XXE Prevention’.
  • Implement positive (“whitelisting”) server-side input validation, filtering, or sanitization to prevent hostile data within XML documents, headers, or nodes.
  • Verify that XML or XSL file upload functionality validates incoming XML using XSD validation or similar.
  • SAST tools can help detect XXE in source code, although manual code review is the best alternative in large, complex applications with many integrations.

Practice

With the lab you can create the account and try it by yourself.

https://portswigger.net/web-security/xxe

————-Have nice day guys—–

Website supports HTTP/2

What is http/2

HTTP/2 (originally named HTTP/2.0) is a major revision of the HTTP network protocol used by the World Wide Web.

Since about 1997, the web has been mostly powered by HTTP/1.1. Back in the 90’s, the web had other needs than we have today. The new protocl version, HTTP version 2 or in short HTTP/2, has some much needed improvements in terms of speed, reliability and security.

I would strongly recommend you to upgrade your webserver to also support the HTTP/2 protocol.

Differences from HTTP1.1

Similar to SPDY, using HTTP/2 does not require any changes to how web applications currently work however, applications are able to take advantage of the optimization features to increase page load speed. According to the HTTP/2 home page, the high-level differences between the HTTP1.1. and HTTP/2 protocol include the following:

  • HTTP/2 is binary, instead of textual
  • It is fully multiplexed, instead of ordered and blocking
  • It can use one connection for parallelism
  • It uses header compression to reduce overhead
  • It allows servers to “push” responses proactively into client caches instead of waiting for a new request for each resource

Overall, HTTP/2 means the server load will go down and the loading times for the end-user will go down drastically as well. And, since it results in a better user experience, it may be advantageous for SEO as well.

Comparison of SPDY3.1 and HTTP/2

Although SPDY and HTTP/2 both have the same goal in mind, there are key variations that exist between them. The following table outlines a few of the high-level differences between SPDY3.1 and HTTP/2

SPDY3.1
HTTP/2
To use the SPDY protocol and take advantage of its features, SSL is required.SSL isn’t required, however encrypted websites will see a boost in performance over today’s encrypted sites.
Multiplexing happens on one host at a time, known as single host multiplexing.Multiplexing happens on different hosts at the same time, known as multi-host multiplexing.
SPDY’s stream-based compression method leaves a slight opening to protocol vulnerabilities.Uses a fixed Huffman code-based header compression algorithm to further prevent attacks and shorten headers.
SPDY’s encrypted connections are fast however they do not use the ALPN extension.

Uses the ALPN extension which allows for faster encrypted connections by letting browsers and servers to decide which application protocol to use initially.

HTTP/2 Support

Most major browsers fully support the use of HTTP/2. This means that if the website you are trying to access runs on an HTTP/2 supported server, your browser will be able to utilize its features. However, although the working group did not require the use of encryption for the new protocol, currently all major browsers only support HTTP/2 over HTTPS.

A more detailed history of browser versions that do support HTTP/2 can be found here.

BrowserSupported
ChromeYes
FirefoxYes
Microsoft EdgeYes
SafariSupport limited to OSX 10.11+
OperaYes
iOS SafariYes
IESupported in version 11, but only for Windows 10.
Android BrowserNo

How to check HTTP/2 support

Test HTTP/2 via command line

1— Using the command line, you can easily check if a website is using the newest HTTP/2 protocol. Using cURL, execute the following command:

curl –http2 https://fallinlove.home.blog

curl -sI domain -o/dev/null -w ‘%{http_version}\n’ => this will show which is current version.

Online HTTP/2 test tools

2There are quite some tools available on the internet that let you enter the website and will show you if this site is using HTTP/2.
KeyCDN: a free HTTP/2 online test tool to Verify HTTP/2.0 Support
Akamai: test if your browser support HTTP/2. They also have a demo to compare the pageload time of a HTTP/1.1 versus the HTTP/2 version.
CloudFlare: for a long time, CloudFlare is one of my favourite companies in terms of innovation and technology. They have a special subdomain to access their site in full HTTP/2 mode.

HTTP/2 browser extension

3If you regularly want to get information about HTTP/2 of website you visit, it might be worth installing a browser plug-in. The HTTP/2 and SPDY indicator plug-in for Google Chrome is an excellent tool to visually indicate if the website you are currently using supports HTTP/2 or SPDY.

Conclusion

HTTP/2 is without a doubt the direction the web is moving towards in terms of networking protocol that is able to handle the resource needs of today’s websites. While SPDY was a great step forward in improving HTTP1.1, HTTP/2 has since further improved the HTTP protocol that has served the web for many years.

Given you have a server that supports the HTTP/2 protocol, you can start serving content over this protocol to users that are accessing your content through a supported browser. For browsers that do not support HTTP/2, they will continue to be delivered content through the old protocol. Using the HTTP/2 protocol will help make websites faster and overall will improve the web’s user experience.

Almost Blog Should Know For Penetration Testing

After a long term, I research and choose security in my career path.

How to get started in security  is a common question nowadays.It’s  a first question when i chosen that path and i ask someone but nobody can answer my question. i try to research and read a lot of books, Blog…  relative to security. During the time i do research, someone sent a message to me and asked the my first question. So I thought I’d rather do a blog post and would direct all those beginners to this blog post.

I’ve been in security field for 3 years now. still, there is so much to learn each and every day, I’m yet not an expert and this post is NOT an expert advice. I am just sharing, what I’ve achieved in the past 3 years and doing continuously to improve my skills.

All below list was read everyday by me and i thought it’s helpful for all people who is starting in this field:

Pentester land

Detecify

Bug bounty from medium

bug bounty note

rapid7 blog

Here is a tool list should be known.

choose one which is helpful and does it as good as you can.

http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html

Public awareness and prevention guides by Europol.

Top tips for staying secure online by the UK National Cyber Security Centre (NCSC).

Watch Your Hack by Daniel Verlaan.

Security awareness and tips by The AntiSocial Engineer.

Security for everyone by Andy Gill.

A guide to protect your digital self by Francesco Cipollone.

End user security cheatsheet by Sean Wright.

Safeonweb a security awareness site from the Belgian government.

Cybersec 101, a security awareness site for beginners.

Decent Security by SwiftOnSecurity.

Cyber aware online by Martijn Kamminga.

Information security for (investigative) journalists (Dutch and English pdf available) by Silkie Carlo and Arjen Kamphuis.

Stop Think Connect. General security awareness in different languages by STOPTHINKCONNECT.

Cybersecurity for small business by FTC

Security tips by US-CERT

PASSWORDS

How to create strong passwords

There’s no excuse for password reuse, or is there?

PASSWORD MANAGERS

Some tips for choosing a password manager

Browser password managers – a good idea?

Why password managers are not the best solution for everyone

Some common misconceptions about password managers and their alternatives

MULTI FACTOR AUTHENTICATION

Multi factor authentication (MFA) for beginners by Tanya Janca.

Two-Factor Authentication with Yubikey – What is it? by Alex Harmon

My own blogs:

Better account security with multi-factor authentication

Enable two-factor authentication but don’t lose access to your accounts

RANSOMWARE

The No More Ransom website can help to get your files back when they are encrypted after a ransomware attack. This website also contains a lot of practical advice to protect against ransomware.

My own blog:

Ransomware 101: How to protect against ransomware and what to do after a ransomware attack?

BACKUPS

Easy, Cheap And Secure Backup With Google Cloud by Scott Helme

Securely backup your data: What does a good backup strategy look like? In this blog I also show a possible practical implementation.

SOFTWARE UPDATES

Why you should keep your software up to date

ONLINE SECURITY FOR CHILDREN

Help your children stay safe online

DATA BREACH DETECTION

How to monitor your data breach exposure: in this blog I describe several tools that can help to detect if your personal data is stolen.

SCAMS AND FRAUD

How to prevent online shopping fraud

Tech support scams – what you need to know

Sextortion scams – what you need to know

How to stay safe on social media

SECURITY TOOLS

Before you click a link you want to check it with a scanning tool. A few easy to use tools are urlscan.io and virustotal. Here’s a blog (in Dutch) on how to check if links are secure.

INTERNET OF THINGS (IOT) SECURITY

The security risks of internet connected devices

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Thanks for you reading!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!