Page 131 - Hands-On Bug Hunting for Penetration Testers
P. 131
Detecting XML External Entities Chapter 7
This chapter will cover:
Details of how an XML processor can become compromised
How to craft XXE snippets and where to find community-sourced lists of them
Tools to use in detecting XXE
How to take a XXE vulnerability from discovery, to validation, to inclusion in a
bug report submission
Technical requirements
For this chapter, we'll be using our standard version of Chrome ( ), along
with a new developer environment deployment system, Vagrant, whichbcoupled with
VirtualBoxbwill allow us to bootstrap our deliberately vulnerable XXE app (which we're
using thanks to IUUQT HJUIVC DPN KCBSPOF YYFMBC). VirtualBox is a Virtual Machine
(VM) client, and Vagrant adds a layer of dependency and environment management on top
of that.
To install Vagrant and VirtualBox, pick the appropriate client for your system from their
respective Downloads pages (IUUQT XXX WBHSBOUVQ DPN EPXOMPBET IUNM and IUUQT
XXX WJSUVBMCPY PSH XJLJ %PXOMPBET).
A simple XXE example
There are a few different types of XXE attack which can attempt Remote Code Execution
(RCE) or d as we covered in the introduction d disclose information from targeted files.
Here's an example of the second variety, from OWASP's entry for XXE:
YNM WFSTJPO FODPEJOH *40
%0$5:1& GPP <
&-&.&/5 GPP "/:
&/5*5: YYF 4:45&. GJMF FUD QBTTXE > GPP YYF GPP
Here, you can see the external entity and its attemptbthrough the location string's GJMF
prefix and the following system pathbto access a sensitive file on the vulnerable server.
[ 116 ]
