Downloaded 120 times
![OFFICE OPEN XML
Web Application Security - Team bi0s © 2017 @Team bi0s
➔ General Parsing XML
◆ /_rels/.rels
◆ [Content_Types].xml
◆ Default Main Document
● /word/document.xml
● /ppt/presentation.xml
● /xl/workbook.xml
22/25](https://image.slidesharecdn.com/xxe-xmlexternalentity-170227101211/85/XXE-XML-External-Entity-Attack-22-320.jpg)
More Related Content
Similar to XXE - XML External Entity Attack
![Xml external entities [xxe]](https://cdn.slidesharecdn.com/ss_thumbnails/xmlexternalentitiesxxe-150514141054-lva1-app6891-thumbnail.jpg?width=640&height=640&fit=bounds)
More from Cysinfo Cyber Security Community
XXE - XML External Entity Attack
- 1. Web Application Security- Team bi0s © 2017 XXE XML External Entity 25 February 2017 @Team bi0s 1/25 HEERAJ Btech, Third Year, Computer Science Engineering Amrita University
- 2. whoami Web Application Security- Team bi0s © 2017 @Team bi0s ➔ Undergraduate Student @ Amrita ➔ Web Security Enthusiast ➔ CTF{flag_seeker} ➔ @HRJ ➔ ww.i4info.in 2/25
- 3. Agenda Web Application Security- Team bi0s © 2017 @Team bi0s ➔Intro to XML & DTD ➔XML Entity ➔Parsing XML ➔Attacks Vector ➔Demo 3/25
- 4. XML Web Application Security- Team bi0s © 2017 @Team bi0s ➔EXtensible Markup Language 4/25 Picture:123RF.COM
- 5. Where it isused ? Web Application Security - Team bi0s © 2017 @Team bi0s ➔Document Formats ➔Image Formats ➔Configuration Files ➔Network Protocols ➔RSS Feeds … etc . . . 5/25 Picture: c-sharpcorner.com
- 6. Document Type Definition WebApplication Security - Team bi0s © 2017 @Team bi0s ➔ References an External DTD ➔ Define structure with the list of legal elements 6/25
- 7. XML Entity Web ApplicationSecurity - Team bi0s © 2017 @Team bi0s ➔ Entities help to reduce the entry of repetitive information and also allow for easier editing Output: Writer: Donald Duck. Copyright: bi0s. 7/25
- 8. XML Entity Web ApplicationSecurity - Team bi0s © 2017 @Team bi0s XML Entity Internal Entity External Entity 8/25
- 9. Parsing Web Application Security- Team bi0s © 2017 @Team bi0s ➔ Character other than < , > , & , ‘ , “ all are parsable. ➔ PCDATA is text that will be parsed by a parser. Tags inside the text will be treated as markup and entities will be expanded. ➔ CDATA is text that will not be parsed by a parser. 9/25
- 10. Attack’s Possible Web ApplicationSecurity - Team bi0s © 2017 @Team bi0s ➔ LFI ➔ SSRF ➔ Internal scans ➔ Denial of Service ➔ Rce (Not Always!!!) 10/25
- 11. Attack Vectors Web ApplicationSecurity - Team bi0s © 2017 @Team bi0s Classic XXE We can view any file which doesn’t contain < , > , & , ‘ , “ as characters. 11/25
- 12.
- 13. Direct Feedback Channel WebApplication Security - Team bi0s © 2017 @Team bi0s What if you are Reading Some configuration files? 13
- 14. Direct Feedback Channel WebApplication Security - Team bi0s © 2017 @Team bi0s ➔ CDATA very helpful to read web configuration, which contain non parsable characters. But this won’t work !! 14/25
- 15. Direct Feedback Channel WebApplication Security - Team bi0s © 2017 @Team bi0s ➔ We have to use Parameter entities ➢ Parameter.dtd 15/25
- 16. Out Of BandChannel Web Application Security - Team bi0s © 2017 @Team bi0s 16/25
- 17. Out Of BandChannel Web Application Security - Team bi0s © 2017 @Team bi0s ➔ No Direct Feedback Channel 17/25 Website: http://web-in-security.blogspot.in/2016/03/xxe-cheat- sheet.html
- 18. Billion Laughs Attack(Simple Denial of Service) Web Application Security - Team bi0s © 2017 @Team bi0s ➔ Works by expansion property (Simple code(<1kb) will expand up to 3 gigabytes of memory. 18/25
- 19. Different Protocols Web ApplicationSecurity - Team bi0s © 2017 @Team bi0s 19/25
- 20. OFFICE OPEN XML WebApplication Security - Team bi0s © 2017 @Team bi0s ➔ Zip archive file containing XML and media files ➔ *.docx , *.xlsx , *.pptx ➔ Developed by Microsoft 20/25
- 21. OFFICE OPEN XML WebApplication Security - Team bi0s © 2017 @Team bi0s 21/25 Open XML File Container Document Properties Custom Defined XML Comments WordML/ SpreadsheetML etc Embedded Code/Macros Images, Video, Sound Files Charts
- 22. OFFICE OPEN XML WebApplication Security - Team bi0s © 2017 @Team bi0s ➔ General Parsing XML ◆ /_rels/.rels ◆ [Content_Types].xml ◆ Default Main Document ● /word/document.xml ● /ppt/presentation.xml ● /xl/workbook.xml 22/25
- 23. Playing With ContentType Web Application Security - Team bi0s © 2017 @Team bi0s ➔ Server may accept multiple data formats ➔ Results in Json endpoints may be vulnerable to XXE ➔ Content-Type changed to application/xml ➔ JSON has to be converted to XML 23/25
- 24. Demo Web Application Security- Team bi0s © 2017 @Team bi0s 24/25
- 25. Solution Web Application Security- Team bi0s © 2017 @Team bi0s ➢ Don’t reflect the XML back to user ➢ Turn off external DTD fetching ➢ Turn off DTD ➢ Disable External Entity Parsing libxml_disable_entity_loader(true);(PHP) 25/25
Editor's Notes
- #5 RSS/xhtml/svg/opendocument/kml/xslt/soap/saml… And Many more are written in XML
- #7 Defines the structure, attributes and the legal elements of XML #PCDATA - parsable text data Note defines this must contain to, from, heading,body
- #8 Used to include some documents
- #9 Public and SYSTEM are the 2 external entities.
- #11 Dos( by reading /dev/zero loops
- #12 Found Long back in 2002
- #15 But this will not work with the above example, we get the error: “XML document structures must start and end within the same entity.”
- #16 In the first case it was from same dtd Here we have used different dtd
- #17 In the first case it was from same dtd Here we have used different dtd
- #18 In the first case it was from same dtd Here we have used different dtd
- #19 Google toolbar you can design button using xml, the xxe was in uploading xml
- #22 File that are present in the zip archive
- #23 File that are present in the zip archive
- #24 File that are present in the zip archive
- #25 File that are present in the zip archive