XML External Entity Attack Hints
Overview
XML External Entity Attack may result when an application allows an input parameter to be XML or incorporated into XML which is passed to an XML parser running with sufficient privileges to include external or system files.
Discovery Methodology
Attempt to inject XML or reserved characters into input parameters and observe if XML parsing errors are generated.
For web services, check each input parameter specified in the WSDL document for those of type XML.
Exploitation
Use information disclosed in error messages to determine at what file path the XML parser is parsing. Cause errors to occur using malformed XML, XML that starts with whitespace or null characters, and XML that does not meet the XSL specification.
Also try to load files that dont exist in order to determine operating system type and the path at which interpretation is taking place.
Example
XML is well-known for containing data (text nodes) which are marked-up by tags (element nodes). XML has the ability to have place-holders called entities. Web developers often used pre-defined entities without realizing they are using an XML entity. For example the less than symbol < can be represented by the pre-defined entity <. The < entity is defined in the parser itself. There is no need to declare the < before using it. However developers are allowed to declare their own entities. XML documents also contain a mechanism by which they can import and include external files as part of themselves. The imported file will be included into the XML docment whereever the entity exists.
Here are some examples to try
Valid XML without entities
Hello World
XML with the predefined " entity
"Hello World"
XML with the user defined myEntity entity
XML with multiple user defined entities
]>The section of an XML document optionally defines external files to be included as part of the XML document. Interestingly these can even be files from the system parsing the XML.
To declare an external entity, the directive defines the resource represented and the symbol that will represent the entity. In this example, the type of entity is a local system resource as indicated by the "SYSTEM" type, the resource is a local file (./robots.txt), and the symbol that represents the entity is "systemEntity". Entities do not have to be external but in this example the system file happens to be an external resource. Entities can also be strings or other local variables.
The XML parser will import the file. The file can be output into the XML document by placing the symbol in the document preceded by an ampersand (&) and followed by a semicolon (;).
&systemEntity;
In an external entity attack, XML is injected or uploaded to the site in an effort to get the XML parser import the injected entity into the XML, then output the contents of the entity.
]>
If the web server is misconfigured or given too many privileges, the XML parser can import operating system files. This example works on many Windows systems.
]>
The output will look similar to the following
[boot loader] timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP
Professional" /fastdetect /NoExecute=OptIn ;
Other injections are possible. This version uses injected comment symbols to alter XML. This is useful for filter bypass.
Hello World <!--
NJ
This is a slightly different version of XXE to fetch the robots.txt.
]>
&systemEntity; ;
This injection results in a cross site script.
$lDOMDocument->textContent=<![CDATA[<]]>script<![CDATA[>]]>alert('XSS')<![CDATA[<]]>/script<![CDATA[>]]>
This injection also results in a cross site script.
<script>alert("Hello
World")</script>
Subscribe to:
Post Comments
(
Atom
)
No comments :
Post a Comment