{% extends 'introduction/base.html' %} {% block content %} {% block title %} XXE Injection {% endblock %}

XXE Injection

What is XML External Entity Injection

XML External Entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.
It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access.
In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure, by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks.

This lab helps us to understand how xxe vulnerabilities can be exploited in the wild. The lab consists of a commenting feature which asks the user to enter his/her thoughts about a picture show! Once he enters his comments, he is also given a feature to see how his comments are stored in the database. This can be done by clicking the click here button .

What could go wrong here?
When the user clicks the button to save his comments, the data is sent to the server in the from of xml post request. This can be seen by intercepting the request done to the server by that button using BurpSuite.
Sending data to the server in the form of XML is not actually vulnerable, the vulnerability lies in the way the xml is being parsed. An xml parser which allows the DTD retrival is vulnerable to XXE injection if there aren't any input validations done on the xml data.

Exploiting the XML Parser

  • Open Burpsuite and make sure it is ready to capture the web traffic.
  • Enter your comments in the input box provided.
  • Before hiting the Let the world see button go to burpsuite and turn on intercept.
  • Now you should be able to see a post request containing a xml data with your comment inside your the text tag.
  • Now we need to introduce a DTD, which tries to fetch files from its server.
  • This can be done by using the document tag and defining the Entity.
  • The Payload

    • <?xml version='1.0'?>
    <!DOCTYPE comm [
    <!ELEMENT comm (#PCDATA)>
    <!ENTITY xxe SYSTEM "File_Path_Here">
    ]>
    <comm>
    <text>&xxe;</text>
    </comm>

  • Incase if the server is runnning linux then use file path file:///etc/passwd and if its running windows, use C:\windows\system32\drivers\etc\hosts. This will dump sensitive data about all users
  • Forward the request and turn of intercept.
  • Go to the see comments option and click view comments this should show you the requested files in your payload if the vulnerability exists.


Mitigation

{% endblock %}