Finally I am here with the topic that I was frightened for no reason. Now I am happy that I did not gave in for my fears.
An XML External Entity (XXE) attack is a
vulnerability that abuses features of XML parsers/data. It often allows an
attacker to interact with any backend or external systems that the application
itself can access and can allow the attacker to read the file on that system.
There are two types of XXE attacks: in-band and out-of-band
(OOB-XXE).
1) An in-band XXE attack is the one in which the attacker can receive an
immediate response to the XXE payload.
2) out-of-band XXE attacks (also called blind XXE), there is no
immediate response from the web application and attacker must reflect the
output of their XXE payload to some other file or their own server.
What is XML?
XML (eXtensible Markup Language) is a markup
language that defines a set of rules for encoding documents in a format that is
both human-readable and machine-readable. It is a markup language used for
storing and transporting data.
Every XML document starts with an XML
Prolog.
<? xml
version=”1.0” encoding=”UTF-8”?>
In the above provided syntax the XML document version and
encoding type is provided. It is not mandatory to have the prolog but it is
considered as a good practice.Let’s consider the below provided example:
<? xml version=”1.0” encoding=”UTF-8”?>
<mail>
<to>test111</to>
<from>boost</from>
<subject>About XXE</subject>
<text>Teach about XXE</text>
</mail>
The <mail> element is the ROOT element of the XML file. It would be considered
as invalid XML file if there is root element present within it.
All the other elements are called as children element. The XML
element also has attributes present such as “message” and “category”.
XXE – DTD
DTD stands for Document Type Definition. A DTD defines the
structure and the legal elements and attributes of an XML document.
Let us try to
understand this with the help of an example. Say we have a file named “test.dtd”
with the following content.
<!DOCTYPE
note [ <!ELEMENT note (to,from,heading,body)> <!ELEMENT to
(#PCDATA)> <!ELEMENT from (#PCDATA)> <!ELEMENT heading
(#PCDATA)> <!ELEMENT body (#PCDATA)> ]>
. #PCDATA means parseable character data. Now
we can use this DTD to validate the information of some XML document
and make sure that the XML file conforms to the rules of that DTD. Lets
use the previously provided example to understand how the DTD validates the XML
files.
<? xml version=”1.0” encoding=”UTF-8”?>
<mail>
<to>test111</to>
<from>boost</from>
<subject>About XXE</subject>
<text>Teach about XXE</text>
</mail>
1. !DOCTYPE note - Defines a root element of the document named
note
2. !ELEMENT note - Defines
that the note element must contain the elements: "to, from, heading,
body"
3. !ELEMENT to - Defines the
to element to be of type "#PCDATA"
4. !ELEMENT from - Defines
the from element to be of type "#PCDATA"
5. !ELEMENT heading - Defines the heading element to be of type
"#PCDATA"
6. !ELEMENT body - Defines
the body element to be of type "#PCDATA"
7. Note:
<!DOCTYPE replace [<!ENTITY name "boost"> ]>
<userInfo>
<firstName>falcon</firstName>
<lastName>&name;</lastName>
</userInfo>
As we can see we are defining a ENTITY called name and assigning a value feast. And later we use this entity in our code.
<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]>
<root>&read;</root>
We use the above provided syntax to read a file from the system by defining the “ENTITY” and having it use the “SYSTEM” keyword. Here we are defining the ENTITY with the name read and we are setting the value of system to read a file from the system.
<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///home/falcon/.ssh/id_rsa'>]>
<root>&read;</root>
By executing the above the syntax, we will be able
to access .ssh private key of the system.
That's it folks!!! Will be adding few new blogs on the OWASP TOP 10 Labs ..
No comments:
Post a Comment