Exploiting XXE to retrieve files
This article will talk about a vulnerability called XXE – XML external entity injection.
Before we exploit the XXE vulnerability, I’d like to explain what it is and what attackers can do.
XML external entity (XXE)
XXE is a web security vulnerability that allows an attacker to interfere with an application’s processing of XML data.
It often allows an attacker to view files on the application server filesystem and interact with internal & external systems that the application itself can access.
Important to understand that This vulnerability occurs when the XML parser is not configured correctly!
The main goal of XXE is to steal source code from the system.
In addition, we can steal password files and back-end source code, which is valuable to companies.
In order for the system to be vulnerable to XXE, the programmer has to manually add the option to support DTD in the parser; once, by default, the support was available!
Actions an attacker can perform with XXE
Billion Laughs – Uploading a script file that calls the next and the following lines, all of which weighs only one KB, but the system needs to analyze it in 3 gigabytes of working memory which causes to denial of service (DDOS).
The same attack can also be used in drafting other scripts, the main thing being that they will make the analysis system work non-stop and overload it.
XXE – Adding an external xml entity under the System entity and basically trying to transfer a form that will try to bring us information from the server.
XXE Payloads – valuable source to find payloads for XXE: https://github.com/payloadbox/xxe-injection-payload-list
Exploiting XXE vulnerability
The lab that I am going to use is on the PortSwigger platform at the following link: https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-retrieve-files
Open Burp Suite and enable proxy, and then you’re good to go.
The lab looks like a shopping website where customers can buy some gifts.
Before we attack any website, it’s important to try and understand all the functionalities of the website.
As a customer, I can click on an item and then I can check stock in three cities: London, Paris and Milan.
Let’s say I live in London and I want to check if there is stock.
After choosing city, I clicked “Check stock” and we’ll get a response of amount of units.
After clicking “Check stock”, I got a POST request in Burp Suite from the server, and I noticed that there was an XML form.
Now, the fun begins.
We need to find a way to read /etc/passwd file.
The first time, I tried to put code that would allow me to read the contents of the /etc/passwd file in base64 – like this:
Unfortunately, I got an error:
I tried another way, and very simple.
I put a SYSTEM command to allow reading local system files on the server and I put the path to /etc/passwd.
Finally, I got a wonderful response, and I got the content of the /etc/passwd file.
I have to admit that exploiting the XXE vulnerability was interesting and satisfying.
Now, let’s talk about how we can protect websites from XXE attacks!
XXE Mitigation
- DTD and XML external entity features must be disabled.
- All XML processors and libraries used in the application must be patched and updated always.
- WAF – Installing a firewall for the application that will filter such attack attempts
- Ensure that the user inputs are validated before being parsed.
Hope you guys find this article useful.