Some applications receive client-submitted data, embed it on the server-side into an XML document, and then parse the document. However, if you look in the right places, you will find XXE attack surface in requests that do not contain any XML. In other cases, the attack surface is less visible. Finding and exploiting blind XXE vulnerabilitiesįinding hidden attack surface for XXE injectionĪttack surface for XXE injection vulnerabilities is obvious in many cases, because the application's normal HTTP traffic includes requests that contain data in XML format.In the following XXE example, the external entity will cause the server to make a back-end HTTP request to an internal system within the organization's infrastructure: If not, then you will only be able to perform blind SSRF attacks (which can still have critical consequences). If you can use the defined entity within a data value that is returned in the application's response, then you will be able to view the response from the URL within the application's response, and so gain two-way interaction with the back-end system. To exploit an XXE vulnerability to perform an SSRF attack, you need to define an external XML entity using the URL that you want to target, and use the defined entity within a data value. This is a potentially serious vulnerability in which the server-side application can be induced to make HTTP requests to any URL that the server can access. Invalid product ID: root:x:0:0:root:/root:/bin/bashĭaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologinĪPPRENTICE Exploiting XXE using external entities to retrieve files Exploiting XXE to perform SSRF attacksĪside from retrieval of sensitive data, the other main impact of XXE attacks is that they can be used to perform server-side request forgery (SSRF). ![]() This causes the application's response to include the contents of the file: This XXE payload defines an external entity &xxe whose value is the contents of the /etc/passwd file and uses the entity within the productId value. The application performs no particular defenses against XXE attacks, so you can exploit the XXE vulnerability to retrieve the /etc/passwd file by submitting the following XXE payload: Introduce (or edit) a DOCTYPE element that defines an external entity containing the path to the file.Įdit a data value in the XML that is returned in the application's response, to make use of the defined external entity.įor example, suppose a shopping application checks for the stock level of a product by submitting the following XML to the server: To perform an XXE injection attack that retrieves an arbitrary file from the server's filesystem, you need to modify the submitted XML in two ways: ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |