How is an XXE produced?

An External XML Entity (XXE) is a vulnerability resulting from an error when an application parses a document and follows the instructions contained in it, despite the fact that these could be malicious.

Basically, it works due to the current applications that allow users to upload XML data to the application. The server processes this information and sends a response.

In order to understand how XML works, see the next example:

<search><Term>cosa</term></search>

This line is sent by the client to the server, using a normal request in order to be processed; the result is also described in XML, as follows:

<search><result>result not found!</result></search>

As you can see from the preceding example, all of the tags included in the request and response are personalized, whereas in HTML, you have defined tags for each instruction. In XML, you define your own tags and you can use a document called a DTD. It helps to define the structure followed by the document and determine whether the document is valid for specific applications or not.

To define our own entities, XML uses the following instruction:

<!DOCTYPE foo [ <!ENTITY cosa "cosa" > ]>

Using that, when the parser reads the document, it replaces the definition with the value defined in the entity. The interesting thing comes in here: XML allows us to define external entities. To add these external references, you just need to use an URL format. An example of an external entity is shown here:

 <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]> 
<search><term>cosa</term></search>

Just by reading the reference to /etc/passwd, you can infer the potential to parse this reference without validation. Any kind of file could be exposed and sensitive information could be leaked.

With this bug, it's possible to perform different type of attacks, which include the following:

  • A malicious user can use the application as a proxy to retrieve sensitive information stored in the server where the vulnerability is located, or even in internal servers, if the server is located at a DMZ.
  • It's possible to exploit application vulnerabilities using URL requests.
  • It's possible to interact with the system, doing some network task for recognition.
  • It's even  possible to do a funny Denial of Service (DoS):
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM " file:///dev/random"> ]>

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.224.56.216