XML external entity attack SSRF With XXE

Greeting Everyone Hope Everything Thing Going Good ! Today we will Learn What is XML external entity attack XXE . What are common XXE attacks?

According to web-app security OWASP,  “An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.”

Before Start What is XML Common attack On xml As XXE Exploit What an attacker should Perform With Target.

What is XML?

XML is a standard for exchanging structured data in textual format Look for above code How xml Carries Data to And communicate Browser to Server

  • <?xml version=”1.0″ encoding=”UTF-8″?>
  • <order>
  • <product>1234</product>
  • <count>1</count>
  • <orderer>
  • <contact>User 1</contact>
  • <account>[email protected]</account>
  • </orderer>
What are common Types Of XXE Attack?
  • Exploiting XXE to retrieve files, where an external entity is defined containing the contents of a file, and returned in the application’s response.
  • Exploiting XXE to perform SSRF attacks, where an external entity is defined based on a URL to a back-end system.
  • Exploiting blind XXE to retrieve data via error messages, where the attacker can trigger a parsing error message containing sensitive data.

As In XML for much more than declaring elements, attributes, and text. XML documents can be of a specific type. we declare this type in the document by specifying the type definition. Here Basic XML DTD, DTD is a Document Type Definition. A DTD defines the structure and the legal elements and attributes of an XML document.

Now How An attacker Should Exploit This Vulnerability?

perform an XXE injection attack that retrieves an arbitrary file from the server’s filesystem, Here Attacker Try to retrieve etc/passwd which is root directory here

Disclosing /etc/passwd or other targeted files

  • <?xml version=”1.0″ encoding=”ISO-8859-1″?>
  • <!DOCTYPE foo [
  • <!ELEMENT foo ANY >
  • <!ENTITY xxe SYSTEM “file:///etc/passwd” >]>
  • <foo>&xxe;</foo>

Now, We have vulnerable web site when user Visit a product page, click “Check stock”, and intercept the resulting POST request in Burp Suite. Data is parsing through xml entity .

As above pic we see As it parsing In xml Format Product ID , Store ID Right?

  • <?xml version=”1.0″ encoding=”UTF-8″?>
  • <!DOCTYPE stockCheck
  • [ <!ENTITY foo SYSTEM “file:///etc/passwd”> ]>
  • <stockCheck><productId>&foo;</productId><storeId>1</storeId></stockCheck>

Look Above We User Entity System System Is common Call which Fetch data if Server Didn’t validate User Supply Input As Attacker Should manipulate Local File Data ,

As We see Due To User Input It parsing Through XML Without Proper filtering This XXE payload defines an external entity &xxe; whose value is the contents of the /etc/passwd file and uses the entity within the productId value.

Now , Exploiting XXE to perform SSRF attacks. How an XML external entity attack can be exploited to perform a SSRF.

This is a potentially serious vulnerability in which the server-side application can be induced to make HTTP requests to any URL that the server can access.

Now, How to Identify SSRF with XXE

We have vulnerable web site when user Visit a product page, click “Check stock”, and intercept the resulting POST request in Burp Suite. Data is parsing through xml entity .

This image has an empty alt attribute; its file name is image-6.png

As above pic we see As it parsing In xml Format Product ID , Store ID Right?

Now , we can Create Internal connection with Server if the site is vulnerable is it poor configured Of their XML Parsing element

This have http://169.254.169.254/ The lab server is running a metadata endpoint at the default URL, Now SSRF help to extract data using Internal communication. Now We Will try To extract data using end Point /latest/meta-data/iam/security-credentials/admin

  • <?xml version=”1.0″ encoding=”UTF-8″?>
  • <!DOCTYPE stockCheck
  • [ <!ENTITY foo SYSTEM “http://169.254.169.254/latest/meta-data/iam/security-credentials/admin”> ]>
  • <stockCheck><productId>&foo;</productId><storeId>1</storeId>
  • </stockCheck>

Now As Response :

Eventually, when you keep appending the folder name to the URL, you will see the AWS EC2 metadata. From internal server of target. This is How an attacker should misuse of it SSRF Using XXE due to poorly configures server side restriction.

Other Way To Perform SSRF?

  • Blind ssrf
  • File Upload SSRF
  • XXE attacks via modified content type
  • OS Command Injection With XXE
How To Prevent Against Risk:
  • Virtually all XXE vulnerabilities arise because the application’s XML parsing library supports potentially dangerous XML features that the application does not need or intend to use. The easiest and most effective way to prevent XXE attacks is to disable those features.
  • Generally, it is sufficient to disable resolution of external entities and disable support for XInclude. This can usually be done via configuration options or by programmatically overriding default behavior.

Conclusion: So Today We Have Discussed How XXE Work Common Types Of XXE Attack We Performed How An attacker Should Perform XXE Against Your We If You Poorly Configured XXE Parsing We See XXE injection attack that retrieves an arbitrary file from the server’s filesystem, As How ssrf Help To retrieve Unrestricted data. Hope You Learn !

For References :
  1. https://portswigger.net/web-security/xxe
  2. https://www.acunetix.com/blog/articles/xml-external-entity-xxe-vulnerabilities/
  3. https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing

Leave a Comment

Your email address will not be published. Required fields are marked *