Free AI web copilot to create summaries, insights and extended knowledge, download it at here

3718

Abstract

id="6bc7">Inband XXE</h2> <figure id="a9b3"> <div> <div>

            <iframe class="gist-iframe" src="/gist/MartinThoma/d252cc68f0cf9c0c86bec00c689503e7.js" allowfullscreen="" frameborder="0" height="undefined" width="undefined">
          </div>
        </div>
    </figure></iframe></div></div></figure><p id="0d28">Looks harmless, doesn’t it? It simply prints <code>&lt;root&gt;Hello World!&lt;/root&gt;</code></p><p id="c80b">But if you change the <code>xml</code> string, then you can read the users passwords:</p>
    <figure id="5b92">
        <div>
          <div>
            
            <iframe class="gist-iframe" src="/gist/MartinThoma/78d666b0b9446a6338c7e77e1cb2ae0a.js" allowfullscreen="" frameborder="0" height="undefined" width="undefined">
          </div>
        </div>
    </figure></iframe></div></div></figure><p id="4f28">If this was part of a server, then the user could read arbitrary files on that server.</p><h2 id="303c">Out-of-Band XXE</h2><p id="13ec">Most of the time, the attacker cannot see the result of the parsed XML file directly. Hence inband XXE is not possible. And maybe errors are also captured, so an error-based XXE does also not work.</p><p id="143b">However, the attacker might be able to force the server to make HTTP calls. This is called server-side request forgery (SSRF). Then the attacker sets up a listener, forces the server to make a request, and thus confirms that XXE is possible. The Attack looks similar to the lines above and is pretty well explained here:</p><div id="de4b" class="link-block">
      <a href="https://www.acunetix.com/blog/articles/band-xml-external-entity-oob-xxe/">
        <div>
          <div>
            <h2>Out-of-band XML External Entity (OOB-XXE) | Acunetix</h2>
            <div><h3>As with many types of attacks, you can divide XML External Entity Attacks (XXE attacks) into two types: in-band and…</h3></div>
            <div><p>www.acunetix.com</p></div>
          </div>
          <div>
            <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/0*sT_ZcX1YMlURVT5F)"></div>
          </div>
        </div>
      </a>
    </div><div id="7f28" class="link-block">
      <a href="https://portswigger.net/web-security/xxe/blind">
        <div>
          <div>
            <h2>What is a blind XXE attack? Tutorial &amp; Examples | Web Security Academy</h2>
            <div><h3>In this section, we'll explain what blind XXE injection is and describe various techniques for finding and exploiting…</h3></div>
            <div><p>portswigger.net</p></div>
          </div>
          <div>
            <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/0*-kjT5VoBc3dSUM3H)"></div>
          </div>
        </div>
      </a>
    </div><h1 id="d43e">Mitigations</h1><p id="16d5">The simplest mitigation is to limit the capabilities of XML to a safe subset. Meaning that you need to limit the XML parser you’re using.</p><p id="f6fa">Python has <a href="https://docs.python.org/3/library/xml.html#xml-vulnerabilities">5 XML parsers</a>: <a href="https://docs.python.org/3/library/xml.sax.reader.html#module-xml.sax.xmlreader">sax</a>, etree, minidom, pulldom, xmlrpc. According to the documentation, they are safe to use. However, <a href="https://lxml.de/">lxml</a> is wide-spread. It mentions that you should configure the XML to not load external DTDs (<a href="https://lxml.de/FAQ.html#how-do-i-use-lxml-safely-as-a-web-service-endpoint">source</a>). The <a href="htt

Options

ps://pypi.org/project/defusedxml/">defusedxml</a> package offers a way to access XML parsers with a secure default configuration.</p><h1 id="5bf1">See also</h1><p id="8042">I would like to point you to this YouTube video by PwnFunction. It summarizes the topic very well.</p><p id="ab89">If you’re interested in a summary over different XML parsers, try <a href="https://www.usenix.org/system/files/conference/woot16/woot16-paper-spath.pdf">SoK: XML Parser Vulnerabilities</a> (2016) by Christopher Späth, Christian Mainka, Vladislav Mladenov, Jörg Schwenk.</p> <figure id="3315"> <div> <div> <img class="ratio" src="http://placehold.it/16x9"> <iframe class="" src="https://cdn.embedly.com/widgets/media.html?src=https%3A%2F%2Fwww.youtube.com%2Fembed%2Fgjm6VHZa_8s%3Ffeature%3Doembed&display_name=YouTube&url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3Dgjm6VHZa_8s&image=https%3A%2F%2Fi.ytimg.com%2Fvi%2Fgjm6VHZa_8s%2Fhqdefault.jpg&key=a19fcc184b9711e1b4764040d3dc5c07&type=text%2Fhtml&schema=youtube" allowfullscreen="" frameborder="0" height="480" width="854"> </div> </div> </figure></iframe></div></div></figure><h1 id="81e8">What’s next?</h1><p id="07ad">In this series about application security (AppSec) we already explained some of the techniques of the attackers 😈 and also techniques of the defenders 😇:</p><ul><li>Part 1:<a href="https://readmedium.com/sql-injections-e8bc9a14c95"> SQL Injections</a> 😈</li><li>Part 2: <a href="https://levelup.gitconnected.com/leaking-secrets-240a3484cb80">Don’t leak Secrets</a> 😇</li><li>Part 3: <a href="https://levelup.gitconnected.com/cross-site-scripting-xss-fd374ce71b2f">Cross-Site Scripting (XSS)</a> 😈</li><li>Part 4: <a href="https://levelup.gitconnected.com/password-hashing-eb3b97684636">Password Hashing</a> 😇</li><li>Part 5: <a href="https://readmedium.com/zip-bombs-30337a1b0112">ZIP Bombs</a> 😈</li><li>Part 6: <a href="https://readmedium.com/captcha-500991bd90a3">CAPTCHA</a> 😇</li><li>Part 7: <a href="https://readmedium.com/email-spoofing-9da8d33406bf">Email Spoofing</a> 😈</li><li>Part 8: <a href="https://readmedium.com/software-composition-analysis-sca-7e573214a98e">Software Composition Analysis</a> (SCA) 😇</li></ul><p id="9619">And this is about to come:</p><ul><li>CSRF 😈</li><li>DOS 😈</li><li>Credential Stuffing 😈</li><li>Cryptojacking 😈</li><li>Single-Sign-On 😇</li><li>Two-Factor Authentication 😇</li><li>Backups 😇</li><li>Disk Encryption 😇</li></ul><p id="479a">Let me know if you are interested in more articles around AppSec / InfoSec!</p><figure id="1ef4"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*Piks8Tu6xUYpF4DU"><figcaption></figcaption></figure><p id="e5d4">👋 <a href="https://faun.dev/join"><b>Join FAUN today and receive similar stories each week in your inbox!</b></a><b> </b>️ <b>Get your weekly dose of the must-read tech stories, news, and tutorials.</b></p><p id="32cd"><b>Follow us on <a href="https://twitter.com/joinfaun">Twitter</a> </b>🐦<b> and <a href="https://www.facebook.com/faun.dev/">Facebook</a> </b>👥<b> and <a href="https://instagram.com/fauncommunity/">Instagram</a> </b>📷 <b>and join our <a href="https://www.facebook.com/groups/364904580892967/">Facebook</a> and <a href="https://www.linkedin.com/company/faundev">Linkedin</a> Groups </b>💬</p><figure id="193b"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*_cT0_laE4iPcqW1qrbstAg.gif"><figcaption></figcaption></figure><h2 id="3062">If this post was helpful, please click the clap 👏 button below a few times to show your support for the author! ⬇</h2></article></body>

XXE attacks 😈

PDF, Excel, SVG, ebooks — all use XML. They can be vulnerable.

XML is probably the most commonly used markup language. It’s organized around tags <example>foo</example> and allows pretty complicated structures

One interesting property about XML is that you can reference external entities, e.g. you can include another file. That is where the name XXE comes from: XML external entities. Let’s start!

Why you should care

XXE vulnerabilities can allow attackers to steal your data, scan your internal network, and even allow remote code execution (RCE)
XXE attacks were number 4 in the OWASP Top 10
The Twitter Tag #XXE is pretty active. So people are still interested in it, although the vulnerability was first recognized already in 2002 (source)
2012: An XXE vulnerability was discovered in Inkscape (source)
2014: Google was vulnerable to XXE and paid a bug bounty of $10,000 (source)
2014: Adobe Reader had an XXE vulnerability (source)
2015: Mohamed Ramadan discovered an XXE vulnerability in Facebooks resume upload (source)
2020: IBM QRadar had an XXE vulnerability (source)

We don’t use XML!

Here are some indicators that you might need to care:

You’re using SOAP
You’re using SAML
You’re reading office files, such as Word (docx) or Excel files (xlsx; example, example). Powerpoint (pptx) contains XML as well. All of them are essentially ZIP archives with lots of XML files inside. I don’t think that Word / Excel / Powerpoint are vulnerable, but maybe the smaller libraries around those files that are used to programmatically create or read them.
You’re reading XMP meta data from images such as JPG or GIF (presentation, slides), meta data from audio and video files as well.
You’re reading PDF files
SVGs are XML as well.

The oxml_xxe tool makes it pretty easy to generate such a malicious file.

Types of XXEs

Inband: The output is shown to the attacker
Out of band (OOB): The attacker is blind

Inband XXE

Looks harmless, doesn’t it? It simply prints <root>Hello World!</root>

But if you change the xml string, then you can read the users passwords:

If this was part of a server, then the user could read arbitrary files on that server.

Out-of-Band XXE

Most of the time, the attacker cannot see the result of the parsed XML file directly. Hence inband XXE is not possible. And maybe errors are also captured, so an error-based XXE does also not work.

However, the attacker might be able to force the server to make HTTP calls. This is called server-side request forgery (SSRF). Then the attacker sets up a listener, forces the server to make a request, and thus confirms that XXE is possible. The Attack looks similar to the lines above and is pretty well explained here:

Out-of-band XML External Entity (OOB-XXE) | Acunetix

As with many types of attacks, you can divide XML External Entity Attacks (XXE attacks) into two types: in-band and…

www.acunetix.com

What is a blind XXE attack? Tutorial & Examples | Web Security Academy

In this section, we'll explain what blind XXE injection is and describe various techniques for finding and exploiting…

portswigger.net

Mitigations

The simplest mitigation is to limit the capabilities of XML to a safe subset. Meaning that you need to limit the XML parser you’re using.

Python has 5 XML parsers: sax, etree, minidom, pulldom, xmlrpc. According to the documentation, they are safe to use. However, lxml is wide-spread. It mentions that you should configure the XML to not load external DTDs (source). The defusedxml package offers a way to access XML parsers with a secure default configuration.

What’s next?

In this series about application security (AppSec) we already explained some of the techniques of the attackers 😈 and also techniques of the defenders 😇:

Part 1: SQL Injections 😈
Part 2: Don’t leak Secrets 😇
Part 3: Cross-Site Scripting (XSS) 😈
Part 4: Password Hashing 😇
Part 5: ZIP Bombs 😈
Part 6: CAPTCHA 😇
Part 7: Email Spoofing 😈
Part 8: Software Composition Analysis (SCA) 😇

And this is about to come:

CSRF 😈
DOS 😈
Credential Stuffing 😈
Cryptojacking 😈
Single-Sign-On 😇
Two-Factor Authentication 😇
Backups 😇
Disk Encryption 😇

Let me know if you are interested in more articles around AppSec / InfoSec!

👋 Join FAUN today and receive similar stories each week in your inbox! ️ Get your weekly dose of the must-read tech stories, news, and tutorials.

Follow us on Twitter 🐦 and Facebook 👥 and Instagram 📷 and join our Facebook and Linkedin Groups 💬