Today’s post will be focusing on different attacks on the XXELab. First, let’s define XXE, what it is, and how it presents itself on a web application. XXE stands for XML External Entity attack and any application that parses XML input may be vulnerable to this type of attack, especially if it parses data without filtering input from the user. This attack can lead to sensitive server side information being disclosed like user password files, logs, software versions, and remote code execution allowing a full compromise of the machine. XXE takes advantage of an entity, an entity is a storage unit of some type. The entity is declared as a system identifier which can then be called within an XML document. Now let’s move onto the XXELabs exercises.
The Lab
If you have not heard of XXELabs it is an amazing project it is a simple webapp with an XXE vulnerability. You will need a proxy to play with this setup project like BurpSuite or ZAP. I will not go over the installation setup for the proxy or the lab since there are many other websites that detail this. Plus the XXELabs has an amazing setup guide on their GitHub.
This is the user interface for our vulnerable XML web application. Now let’s fill in the form, capture the request, and attack.
The Methods
Let’s talk about different XXE methods first. There are a few and I won’t detail the DOS attacks since I am mostly interested in exploiting and exfiltrating data to be used in testing applications in the wild. Since this is where the biggest risk lies for any company. DOS can be a nuisance but it does have its uses for leveraging into a system further and compromising other aspects of the network.
The 3 types of attacks we will cover in this 2 part series are accessing a local resource, remote code execution, and then in part two we will go over external URL commands using the HTTP module.
Module Types
When exploiting XML we have a few commonly used modules types we will be using to exploit our victim machines. Most often we will use file: http/s: expect: all will retrieve useful data from the server to the attacking machine.
The Basics: A string to /etc/passwd
A basic XML response will look something like this the XML parser is executing code onto the remote server. Inside of the POST response we can see we get a call for XML version 1.0.
<?xml version=”1.0″ encoding=”ISO-8859-1″?>
The XML form below gives us different parameters to inject our code into using the registration form. With fields such as name, telephone number, email address, and password.
Now lets begin to craft a bit of malicious XML code into our registration form. We will begin by calling a Document Type Definition which defines the document with a list of valid elements and attributes. This is where we will be leveraging our attack.
In this example we will start with a basic “Hello world” attack. By placing the world into an attribute called bar. Calling is in our XML code below with &bar; in the email parameter.
Once we have verified this attack we will move onto placing and expect://id module into the XML code. So moving from a string to an exfiltration attack to gain knowledge about the underlying system.
Our new code should look something like this:
<!DOCTYPE foo
[<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM “expect://id” >]>
We will be calling the SYSTEM and the expect id of the user who has control over the application. After modifying out code we get the output of the user www-data.
And then changing the n0ps@email.com with our new attribute.
Now that we have gone from a simple string replacement to identifying the id of the web application user we will modify our exploit to gain some interesting output about the underlying system. Taking the same code we had from before we will modify it slightly to look like this:
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM “file:///etc/passwd” >]>
Run our code in the BurpSuite repeater tab and we should see the output of /etc/passwd file.
In the next article I will show you how to go from XXE to RCE and other fun little tricks in the XXELab. Plus some mitigation techniques!