Page 130 - Hands-On Bug Hunting for Penetration Testers
P. 130

7 7




             Detecting XML External Entities






            XXE is an abbreviation of XML External Entity. As an attack, it takes advantage of a flaw in
            an application's XML parser configuration to perform a number of malicious actions,
            including exposing the contents of protected files, or causing the exponential use of
            memory, resulting in a DoS attack.

            XML, like JSON, comprises a big part of the data transfer that powers the modern internet.
            As a system for encoding documents in both human and machine-readable ways, XML is
            common in tech stacks of a certain age, and persists in older API architectures such
            as Simple Object Access Protocol (SOAP), even though web applications rely more and
            more on JSON as a common standard. In 2017, OWASP named XXE as number four on
            their list of the top ten web vulnerabilitiesbit wasn't included in the list in the previous
            survey in 2014.
            The nature of the attack stems from XML's conceptions of entities, a primitive data type that
            combines a string with a unique alias or reserved word. When the XML parser expands the
            entity, the parser looks for and stores the contents of the URI in the final XML document. If
            the entity is pointing to a sensitive file on the web server, then that information is
            compromised. There are different vectors for inputting that XML, including application
            form inputs. Because the vulnerability includes XML code being mistakenly parsed (and
            executed) after it is submitted through a form input, XXE can be classified as a form of code
            injection.

            There are a couple of risk factors for XXE, which are allowed in by weakly or misconfigured
            XML parsers: if a parser accepts tainted data within the Document Type Declaration
            (DTD), and it processes that DTD and resolves external entities, the site is at risk. As an
            example, if you're using PHP, the language's documentation specifically states that you
            need to set the MJCYNM@EJTBCMF@FOUJUZ@MPBEFS variable to USVF in order to disable the
            ability to load external entities (IUUQT   TFDVSF QIQ OFU NBOVBM FO GVODUJPO MJCYNM
            EJTBCMF FOUJUZ MPBEFS QIQ).
   125   126   127   128   129   130   131   132   133   134   135