Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

External XML Entities

120 views

Published on

  • Be the first to comment

  • Be the first to like this

External XML Entities

  1. 1. External XML Entities (XXE) and how they may impact your environment About XXE Flaws based on external XML entities processing are typically the product of applications that parse XML data having a weak security configuration. This may allow for external references without filters for tainted input. Some of the results of such a situation could develop into a range of outcomes from information leakage of sensitive data to denial of service and potentially even remote code execution. These vulnerabilities may manifest in some of the technology powering many of today’s websites. Vulnerabilities may also be observed locally in applications processing many popular office file formats. These newer file formats containing many XML references represent a potential platform for targeted attacks within an organization. Though many CVEs and advisories related to this issue have been generated around 2014 and later, some of the first references go back to developer posts as early as 2001[1]. Recently, XXE has been the subject of many bug bounties awarding several thousands of dollars for discovered vulnerabilities in popular sites like Facebook and Google. What can happen with XXE In the web app example, we explore how easy it can be to modify a legitimate request to exploit an XXE vulnerability and the results that can be achieved against a vulnerable system. One way a vulnerable system may be exploited is with an information disclosure by way of a local file inclusion. By referencing internal system files that the application would have permission to view within an entity statement, the file contents may be displayed within the response.
  2. 2. 2 Another scenario shows an XML entity executing PHP functions with results returned within the response. This may be helpful to an attacker in situations where they may be having issues recovering the complete contents of files or having some other sort of egress issues. A separate application of this vulnerability has us issuing requests that cause the victim server to browse to remote locations that are provided in the entity statement. This could be utilized to have
  3. 3. 3 the victim server utilize a remote document type definition (DTD), connect to a malicious location or, as in the next example, be utilized as a port scanner. During a successful attempt, we see that an error message is returned. When we view our temporary web server, however, we do see a connection has been made. The victim server has made a GET request to our malicious device on the specified port. So a connection is being made, but how can a successful connection to a port be determined? A look at the application behavior gives that answer in that the error messages received are actually a bit varied and a negative result will actually read “Connection refused” within the error message.
  4. 4. 4 The next example demonstrates resource exhaustion that may lead to a denial of service condition on the victim server. By employing a method referred to as XML entity expansion (XEE), attackers load a request with multiple short hand statements that the victim server will unpack and translate for processing. Once the request is fully unpacked it will transform into so many individual elements that it may slow down or halt the victim server. In the image below, we see that we are already causing system errors with the size of the request causing extended backend processing. Adding an extra couple of lines and even a longer string would begin to stress a vulnerable victim server even more [5].
  5. 5. 5 This form of attack goes beyond web servers processing XML content. Instances of XXE vulnerabilities have also been discovered in the processing of certain file formats that contain XML data [6]. The danger from attacks utilizing this vector is that they may be utilized to augment a social engineering campaign that targets specific personnel and the computing devices they utilize. As this attack vector becomes more readily understood by a larger audience, it would seem to follow that it will become more prevalent. Indeed, we see additional checks being implemented in some popular security suites to aid professionals in identifying potential weaknesses. Any such implementation definitely need to be followed up by manual validation by personnel familiar with the issue. Things you can do One of the more fundamental things that would need to be addressed to begin to mitigate XXE threats is to limit the ability of the XML parsers in your environment from referencing external document type definitions or disabling DTDs altogether[10].
  6. 6. 6 There are also language specific directives that may be utilized to prevent processing of XML definitions via methods that modify attributes or permissions to import external definition. References: 1http://lists.xml.org/archives/xml-dev/200101/msg00057.html 2https://blog.gdssecurity.com/labs/2015/4/29/automated-data-exfiltration-with-xxe.html 3http://securityaffairs.co/wordpress/31677/hacking/hacking-facebook-word-document.html 4http://resources.infosecinstitute.com/xxe-attacks/ 5https://cytinus.wordpress.com/2011/07/26/37/ 6https://www.blackhat.com/docs/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file- parsing-functionality.pdf 7http://blog.h3xstream.com/2014/06/identifying-xml-external-entity.html 8https://blog.netspi.com/playing-content-type-xxe-json-endpoints/ 9https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing 10https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet

×