What is XML Injection Attack.
Hello guys!! Hope you are doing well. I’m new to security field and this is my first article on medium. And if there is any mistake in this article then , forgive me ! Because I’m Noob.
Before diving deeper in XML attacks, lets first understand the basic concepts of XML.
What is XML:
XML stands for eXtensible Markup Language which was designed to store and transport data. Like HTML, XML uses a tree-like structure of tags and data. Unlike HTML, XML does not use predefined tags, and so tags can be given names that describe the data. It is used in everything from web services (XML-RPC, SOAP, REST, WSDL) through documents (XML, HTML, DOCX) to image files (SVG, EXIF data) and RSS. To interpret XML data, an application needs an XML parser (also known as the XML processor).
The following is an example output of a simple web application that accepts XML input, parses it, and outputs the result.
XML Document Type Definition (DTD):
A DTD is a Document Type Definition which defines the structure and the legal elements and attributes of an XML document. The DTD is declared within the optional DOCTYPE element at the start of the XML document. The DTD can be fully self-contained within the document itself (known as an “internal DTD”) or can be loaded from elsewhere (known as an “external DTD”) or can be hybrid of the two.
XML Entities:
An XML entity is a representation of some information. A predefined entity is
generally used to represent markup characters such as <, >, and so on. Entities can be used as a kind of shortcut that allows you to embed blocks of text or even entire documents and files into an XML document. This makes updating documents across networks very easy. For example, to represent < we use <. The following table contains common predefined entities used in XML:
Note: An entity has three parts: an ampersand (&), an entity name, and a semicolon (;).
In general, we have three types of entities: internal entities, external entities, and parameter entities.
Internal Entities:
These are entities that refer to entities whose definitions can be found entirely within a document’s DTD. The basic purpose of an internal entity is to get rid of typing the same content (like the name of the organization) again and again.
Syntax: <!ENTITY entity-name “entity-value”>
Example:
External Entities:
XML external entities are a type of custom entity whose definition is located outside of the DTD where they are declared.
The declaration of an external entity uses the SYSTEM keyword and must specify a URL from which the value of the entity should be loaded. For example:
<!DOCTYPE foo [ <!ENTITY ext SYSTEM “http://normal-website.com" > ]>
The URL can use the file:// protocol, and so external entities can be loaded from file. For example:
<!DOCTYPE foo [ <!ENTITY ext SYSTEM “file:///path/to/file” > ]>
XML external entities provide the primary means by which XML external entity attacks arise.
Parameter Entities:
Parameter entities are only used in Document Type Definitions (DTDs). A parameter entity starts with the % character. This character instructs the XML parser that a parameter entity (not a general entity) is being defined. In the following example, a parameter entity is used to define a general entity, which is then called from the XML document.
Now lets dive deep into the XML Injection attacks.
Types of XML Injection Attacks:
XML parsers with bugs, or that are misconfigured and hence vulnerable to manipulation, are generally susceptible to two kinds of attacks.
· XML Bombs: The XML parser may crash or execute incorrectly given certain input data, resulting in a Denial of Service attack.
· XXE Injection: The XML parser may inadvertently leak sensitive information.
XML Bomb Attacks:
An XML Bomb may be both well-formed and valid XML, but is designed so as to cause the XML parser, or the application processing its output, to hang or crash executing.
For example, consider the Billion Laughs Attack that consists of a short XML file that manages to expand under XML parsing into some 3 gigabytes of data. The large resultant data typically crashes any application, and it is easy to see how the data size could be scaled arbitrarily larger and lead to DOS attack.
Mitigating XML Bombs:
The best way to avoid XML Bombs is for the application to configure the XML parser to disable inline expansion of entities. Without inline expansion the geometric size increase is not available to the attacker and these attacks will be rendered harmless.
When the application requires entity expansion, or if the XML parser does not provide this configuration option, set the parser to enforce a limit on the size of expanded entities.
XXE Injection Attacks:
Per OWASP definition, An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts. There are two types of XXE attacks: in-band and out-of-band (OOB-XXE).
Reading files via XXE:
XXE allows us to read files on the system; we can read the content of different juicy configuration files containing sensitive information such as a database, username and password. To perform an XXE injection attack that retrieves an arbitrary file from the server’s filesystem, you need to modify the submitted XML in two ways:
- Introduce (or edit) a DOCTYPE element that defines an external entity containing the path to the file.
- Edit a data value in the XML that is returned in the application’s response, to make use of the defined external entity.
Consider the following example from dvws vulnerable application:-
- Select XXE attack option from dvws and capture the request in burp suite after clicking the “Print Greeting” button and the send the burp request to the repeater tab.
2. Now modify the XML content to include the external entity to ready the sensitive file from server.
Modified XML data:-
<?xml version=”1.0" encoding=”ISO-8859–1"?>
<!DOCTYPE uservalue [
<!ENTITY xxe SYSTEM “file:///C:/Windows/System32/drivers/etc/hosts” >
]>
<uservalue>
<value>&xxe;</value>
</uservalue>
So this way we can read the sensitive files from server and the local system.
Additionally, we can also perform the SSRF, arbitrary file read, DOS, RCE attacks etc through XXE injection.
That’s all for my first XXE article, in next we will be discussing the Blind XXE Injection.
Thanks all!!!. Hope you guys like my first write-up. Any feedback is much appreciated.
Lastly, special thanks to my friend Sarvagya Sagar who motivated me to write this article!!!
References:
https://research.cs.wisc.edu/mist/SoftwareSecurityCourse/Chapters/3_8_4-XML-Injections.pdf
