If not, then you will only be able to perform blind SSRF attacks (which can still have critical consequences). If you can use the defined entity within a data value that is returned in the application's response, then you will be able to view the response from the URL within the application's response, and so gain two-way interaction with the back-end system. To exploit an XXE vulnerability to perform an SSRF attack, you need to define an external XML entity using the URL that you want to target, and use the defined entity within a data value. This is a potentially serious vulnerability in which the server-side application can be induced to make HTTP requests to any URL that the server can access. Invalid product ID: root:x:0:0:root:/root:/bin/bashĭaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologinĪPPRENTICE Exploiting XXE using external entities to retrieve files Exploiting XXE to perform SSRF attacksĪside from retrieval of sensitive data, the other main impact of XXE attacks is that they can be used to perform server-side request forgery (SSRF). This causes the application's response to include the contents of the file: This XXE payload defines an external entity &xxe whose value is the contents of the /etc/passwd file and uses the entity within the productId value. The application performs no particular defenses against XXE attacks, so you can exploit the XXE vulnerability to retrieve the /etc/passwd file by submitting the following XXE payload: Introduce (or edit) a DOCTYPE element that defines an external entity containing the path to the file.Įdit a data value in the XML that is returned in the application's response, to make use of the defined external entity.įor example, suppose a shopping application checks for the stock level of a product by submitting the following XML to the server: To perform an XXE injection attack that retrieves an arbitrary file from the server's filesystem, you need to modify the submitted XML in two ways: Exploiting blind XXE to retrieve data via error messages, where the attacker can trigger a parsing error message containing sensitive data.Exploiting blind XXE exfiltrate data out-of-band, where sensitive data is transmitted from the application server to a system that the attacker controls.Exploiting XXE to perform SSRF attacks, where an external entity is defined based on a URL to a back-end system.Exploiting XXE to retrieve files, where an external entity is defined containing the contents of a file, and returned in the application's response.External entities are particularly interesting from a security perspective because they allow an entity to be defined based on the contents of a file path or URL. XML external entities are a type of custom XML entity whose defined values are loaded from outside of the DTD in which they are declared.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |