Overview: XML External Entities

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
3 hours 30 minutes
Difficulty
Intermediate
CEU/CPE
4
Video Transcription
00:00
>> As number 4 is XML external entities or XXE.
00:00
Our learning objectives are to describe
00:00
the various types of XML external entity flaws,
00:00
demonstrate how to test for the various types of
00:00
XML external entity flaws,
00:00
and explain how to remediate
00:00
XML external entity vulnerabilities.
00:00
First we need to understand what XML is,
00:00
otherwise known as extensible markup language.
00:00
If you know what HTML,
00:00
HTML is hypertext markup language,
00:00
that's what makes up webpages.
00:00
When I first started, when I was an agent,
00:00
I was learning how to make web pages,
00:00
I wanted to learn from scratch.
00:00
So I took a course on HTML.
00:00
I had to learn how web pages are designed.
00:00
There's different tags.
00:00
Like the body tag or the header tag, H1.
00:00
These are all predefined tags that you
00:00
use to make your webpage look a certain way.
00:00
Unlike HTML, XML is user-defined.
00:00
You'll see here on the right
00:00
that I've defined my own tags.
00:00
I have root, I have company, cybrary,
00:00
course is OWASP Top 10,
00:00
instructor is me and I end it with the root tag.
00:00
That should look familiar to you
00:00
if you know what HTML is.
00:00
You need to have an opening tag.
00:00
Then you have your information there,
00:00
then you have a closing tag.
00:00
With XML, unlike HTML where it's how a web page looks,
00:00
XML is more concerned with the data,
00:00
is how the data is organized, if you will.
00:00
You'll see here, I can transport
00:00
this data and I can change the instructors.
00:00
I could have Clint or I could have Matt
00:00
or I could have Corrie,
00:00
I could have a whole bunch of different instructor names.
00:00
Transport that to different web applications
00:00
quickly because I've defined my own tags here.
00:00
It uses a tree-like structure of tags,
00:00
elements, and attributes.
00:00
It's also human-readable and machine-readable,
00:00
so I can read this.
00:00
I know company calls an instructor as does the machine.
00:00
When it parses the data,
00:00
it knows what each of these tags are referring to.
00:00
What is XXE?
00:00
XXE is the ability for
00:00
an attacker to interfere with how XML is
00:00
processed and what you can do as an attacker when you
00:00
can mess or interfere with the XML processor,
00:00
is it's an injection attack.
00:00
It's an injection attack,
00:00
like command injection or sequel injection,
00:00
but this time, instead of issuing
00:00
commands or messing with the sequel database,
00:00
you're messing with the XML parser
00:00
and you're able to view files,
00:00
you're able to interact with back-end systems,
00:00
you're able to interact with external systems
00:00
like SSRF as we see here.
00:00
Server-side request forgery.
00:00
Also you can see here this billion laugh attack,
00:00
that sounds pretty cool on the right,
00:00
but basically it's an expanding entity
00:00
to the point where this attack,
00:00
this payload you see here,
00:00
keeps creating bigger and bigger LOLs,
00:00
however you want to say it, laughs, LOLs.
00:00
It keeps expanding it
00:00
over and over and over again until it
00:00
basically takes up all the memory of
00:00
the server and the server can't function anymore,
00:00
creating a denial of service condition.
00:00
I've seen this in production environments.
00:00
I've seen bug bounty,
00:00
that's the article that you'll read
00:00
is about a bug bounty hunter
00:00
who found this in a popular company.
00:00
Many popular companies use
00:00
XML and they use things like SOAP,
00:00
Simple Object Access Protocol.
00:00
This is an attack that you could very likely come
00:00
across as a web application penetration tester.
00:00
How do we test for this?
00:00
If we detect that something is using XML,
00:00
we can use something like this where you'll see
00:00
the document definition at
00:00
the top with XML version 10 encoding.
00:00
You don't need that per se.
00:00
You'll see me use that,
00:00
you'll see a lot of people use that, but that's optional.
00:00
What's important here is I'm
00:00
creating an entity here called
00:00
XXE with the text evil.
00:00
I know the tree-like structure,
00:00
I know what the tags are,
00:00
I know the root element are creds.
00:00
Then we have user and password.
00:00
What I'm doing with the end XXE semi-colons,
00:00
I'm injecting the XXE entity into the XML parser.
00:00
You'll see on the other end here and the response
00:00
as you've logged in as evil.
00:00
That's my first test and I can see that I have
00:00
the ability to create my own entity here.
00:00
Reading local files.
00:00
If you open up a web browser now and you type file:///,
00:00
Etsy password on a Windows machine or a Mac,
00:00
you'll be able to see your Etsy password file.
00:00
Hopefully, you knew that,
00:00
if not, then you've learned something new.
00:00
But you'll see that when you have Kali Linux.
00:00
If you load up a web browser and I'll show that to you,
00:00
you'll see it's loading a file as the webpage.
00:00
In addition to reading local files like Etsy password,
00:00
if the server is running with elevated permissions,
00:00
like root, you'll be able read something else,
00:00
the ETC shadow file and crack passwords.
00:00
It's always good to check from
00:00
here what permissions the server is
00:00
running as and see if you can load sensitive files.
00:00
Expect with PHP is a very, very interesting.
00:00
Expect is not installed by default,
00:00
but if it is installed,
00:00
you can execute commands like the ID command,
00:00
curl W get depending on what that server has,
00:00
you can execute remote code execution
00:00
and do all kinds of malicious things.
00:00
If you want to see that,
00:00
I have a Bitly link down here,
00:00
but this is a YouTube video
00:00
that I did with my buddy Mark for
00:00
besides Nova of us doing XXE attacks.
00:00
I build a lab and I enabled
00:00
an expect and I was able to leverage it to do our CE.
00:00
I think it's a very interesting talk, of course.
00:00
I did it, so I think it's interesting.
00:00
But it's interesting making that lab
00:00
enabling expect and seeing what I could do with
00:00
expect because it's not everything you expect it
00:00
to be. That joke there.
00:00
Anyway, XXE reading PHP.
00:00
Again, if you know anything about PHP,
00:00
if you've done local file inclusion,
00:00
you've seen things like using filters in PHP.
00:00
Basically PHP is a server-side language.
00:00
You're not able to read it from the client side,
00:00
you're not able to read it externally,
00:00
but internally you are able to read it.
00:00
Because we are on basically leveraging
00:00
a local system with this XXE attack,
00:00
we can read PHP files,
00:00
which is really great because
00:00
if you know anything about PHP,
00:00
it can contain sensitive information.
00:00
Like if it's loading from a database,
00:00
it may have the database
00:00
username and password and the name of the database in
00:00
there and all kinds of
00:00
juicy information on the server side.
00:00
It's very beneficial being able to leverage
00:00
XXE to read these PHP files.
00:00
XXE in this server-side request forgery.
00:00
You'll see here, like I would in a web browser,
00:00
I've put another host in here on port 4444.
00:00
You can see I have my Netcat listener
00:00
up here and we see the connection
00:00
from that remote server into my Netcat listener.
00:00
You can also use this internally.
00:00
Let's say if you can't reach the internal subnet,
00:00
let's say it's AWS,
00:00
and we think there's other hosts on the internal subnet,
00:00
we can use timing attacks.
00:00
Let's say port 80's open on
00:00
another host on the internal network,
00:00
that will take a longer time to
00:00
respond than if the port is closed.
00:00
I've seen this a lot of bug bounty
00:00
reports where you can do
00:00
internal timing attacks using
00:00
SSRF. How do we test for this?
00:00
Here's our good old web security testing guide, INPV-07.
00:00
Just like SQL injection,
00:00
we can use single quotes and
00:00
double quotes to see if we can break the parser.
00:00
Also, we can use angular parenthesis.
00:00
I didn't know what these were, I call them alligators
00:00
if you are a US education system.
00:00
But angular parentheses, if you see
00:00
this angular parentheses exclamation tak,
00:00
tak, if you know anything about HTML,
00:00
that's how we make a comment in HTML.
00:00
Just like HTML, XML and the comments are the same,
00:00
but you can try to break the parser using that.
00:00
You can also attempt cross-site scripting payloads.
00:00
When I created these labs,
00:00
I see a lot of the time when I'm using
00:00
burps pro active scan that
00:00
I I'm able to get cross-site
00:00
scripting to fire when I'm doing this.
00:00
Interesting, but what's the bigger impact?
00:00
Cross-site scripting or reading files on the server?
00:00
I'd say reading files on the server.
00:00
How do we remediate this?
00:00
Basically, when we want to stop the parser's ability
00:00
to load external entities or disabling DTDs.
00:00
When I made this, I was using PHP and basically all I had
00:00
to do is mark something from
00:00
the ability to load external entities from true to false.
00:00
Some programming languages have this
00:00
disabled by default, some don't.
00:00
If you're a developer, depending on
00:00
how you develop your application,
00:00
I highly recommend that you check out
00:00
the OWASP cheat sheet and how to make sure
00:00
that you are not susceptible to XXE.
00:00
Summary, we covered how to test for
00:00
XXE vulnerabilities and ways to remediate or prevent XXE.
Up Next
Scenario: Facebook XXE Vulnerability
10m
Lab: XML External Entities
45m