What is XXE vulnerability?
Before jumping into the XXE attack , We should know the basics of what is XML and the usage of XML.
What is XML used for?
XML stands for an extensible markup language. It is used to store and transfer data between two points. (Client and Web Server)
There are some similar points between HTML and XML such as tag use but the main difference between them is the purpose of usage.
HTML is used for the representation of the data, XML be able used to store and transfer data.
Definition of XML(XML prolog)
<? xml version = “1.0” encoding= “UTF-8” ?>
That is a XML prolog .
We do not need to use XML prolog every time while using XML but it is a good practice.
<!DOCTYPE Pwn
[ ->
<!ENTITY person “test””> -> Entities could use to declaration of a variable in XML. We could think of it as a global variable in a programming language.
<!ENTITY person SYSTEM “secret.txt” -> SYSTEM word could be used to access the external resource in the filesystem. Which is a vulnerable feature of ENTITY in XML.
]>
<root>
<name>&person;<name> ->Web page shows us the content of secret.txt. Otherwise we just saw the test word in the screen.
<root>
What is XML external entity injection?
XML external entity injection in web security vulnerability that allows an attacker to view files on the application server file system.
The feature of ENTITY allows accessing external resources such as system files or any other vulnerable site. If Web services use XML to data transfer between the client and itself. Then want to show that data on a web page. You could check that input on a web page.
Exploiting XXE to retrieve Files
To exploit an XXE injection attack we need to modify the submitted XML,
After submitting a post request, we could cut that request by using a burp suite then send a repeater to further investigation.
There is a variable in the request which is called “xxe” and That is a variable we need to check whether XXE occurs or not.
Modify a variable with,
“<!DOCTYPE test [<!ENTITY person SYSTEM “file:///etc/passwd>]>”, then send again.
oh! It gave us a chance to view of system file which actually we do not have permission to view.
After viewing the filesystem that is /etc/passwd, we could view user information that is able to log into the system. One of the names is a falcon.
After that, We could try to view a falcon private key in a filesystem which is /home/falcon/.ssh/id_rsa.
Let’s copy that private key that has been in the path which is /home/falcon/.ssh/id_rsa, then paste that private key into any file in your own system. After pasting that private file into our own system, we try to access the ssh connection with that private key. Below is a command to access via ssh,
ssh -i private_key.txt falcon@TARGET_IP_ADDRESS;
Look that, we could access via ssh with an interactive shell.
Exploiting XXE to perform SSRF attack
SSRF is a web vulnerability that is abused by hackers to access any URL that a vulnerable server could access. You could check it more with the below link,
https://portswigger.net/web-security/ssrf
XXE vulnerability can be used to access an external resource with the feature of ENTITY.
For instance,
<!ENTITY person SYSTEM “localhost:3306” >
<!ENTITY person SYSTEM “http://vulnerable.com” >
Mitigation of XXE attack
Developer training could be a good choice to mitigate XXE. Use less complex data formats such as JSON.
Patch or upgrade all XML processors and libraries in use by the application or on the underlying operating system.
References
Thanks for reading.
