XXE Attack -
- XML External Entities - Overview - Part I
- XML External Entities - Inband - Part II
- XML External Entities - Out of band (HTTP) - Part III
- XML External Entities - Billion Laughter Attack - Part IV
- XML External Entities - SSRF - Part V
- XML External Entities - DNS Resolution - Part VI
In XML External Entities - Overview - Part I, we had an understanding of XML (External Markup Language) and XXE (XML External Entity). In this part, we will understand the Inband XXE Injection with a demo giving you a much more clear idea about the attack.
What is Inband?
When an attacker receives an immediate response to the XXE Payload embedded in the application it is known as an inband attack. Inband XXE is the most common attack. The example shown below illustrates how an attacker uses XML to gain local files from the server:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE test[ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <abc> &xxe; </abc> |
The above example contains ‘entities’ defined using a system identifier or SYSTEM keyword and are present within a DOCTYPE header. These entities can access the local or remote content. Thus an attacker can send malicious values through the entity and make the application display it. In simple words, in an inband XXE Attack, an attacker forces XML parser to access the resource specified which could be a file on the system or on any remote system.
DEMO
For the purpose of the demo, let us use the lab specially designed for XXE.
Step 1: Navigate to https://github.com/RihaMaheshwari/XXE-Injection-Payloads and download the zip file. If you are running Kali Linux type the following command in terminal-
git clone https://github.com/RihaMaheshwari/XXE-Injection-Payloads.git
|
Step 2: Host the downloaded application in a web server using XAMPP.
Step 3: Navigate to the application, i.e. “http://localhost/xxelab/penlab/.” You will see the interface as shown in Exhibit 1.
Exhibit 1
Step 4: Fill the required details and click on Create Account. Use a proxy tool like BurpSuite to intercept the request and forward the request. You can see the normal request and response from the client and server side respectively.
Exhibit 2
Step 5: Send the following command in the request, as shown in Exhibit 3.
The external entity “xxe” is declared with the value “file:///etc/passwd.” During XML parsing, this entity will be replaced with the content of /etc/passwd. The use of the keyword “SYSTEM” instructs the parser that the entity value should be read from URI that follows.
<!DOCTYPE test[
<!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> |
Step 5: Call “&xxe;” in the email tag as we know only the data between email tags are being reflected as shown in Exhibit 3. Forward the request to the server.
Exhibit 3
Bingo!!! We can see that the content of the password file has been displayed.
Well, that seems pretty interesting right. In XML External Entities - Out of band (HTTP) - Part III, we will be discussing the Out of Band XXE Attack, which is much more interesting. If you enjoyed, please comment and share.
References
https://github.com/RihaMaheshwari/XXE-Injection-Payloads
https://github.com/jbarone/xxelab