Page 133 - Hands-On Bug Hunting for Penetration Testers

P. 133

Detecting XML External Entities Chapter 7

Billion Laughs attacks are not unique to XML (you can do a similar attack in YAML or any
other file format that supports references), but they do clearly illustrate the means through
which an unguarded XXE vulnerability can wreak havoc.

XML injection vectors

XML injection and XML parsing-related vulnerabilities aren't always observable from the
client-side code d the XML part of the processing chain could be occurring within the server
formatting your client-side input.

Following an OWASP XML injection example, the client-side form (assuming, for
argument's sake, that it's making a (&5 request) will create an HTTP request that looks like
this:
6TFSOBNF KBNFT
1BTTXPSE 5IFX Q
& NBJM KBNFT NPXSZ!UFSSBO HPW

Then, before inserting itself into an XML-document-like-database, the application will build
an individual XML node:

VTFS
VTFSOBNF KBNFT VTFSOBNF
QBTTXPSE 5IFX Q QBTTXPSE
VTFSJE VTFSJE
NBJM KBNFT NPXSZ!UFSSBO HPW NBJM
VTFS

You can exploit this behavior to do different kinds of injection, including tag-based
injection. That's when you would add a valid XML tag within your input, spoofing a
valuable property (this assumes that a VTFSJE of 0 represents an admin user) by making
an HTTP request along these lines:
6TFSOBNF KBNFT
1BTTXPSE 5IFX Q QBTTXPSE
& NBJM VTFSJE VTFSJE NBJM KBNFT NPXSZ!UFSSBO HPW

That HTTP request, when assembled into the XML-like datastore, results in one of the
redundant VTFSJE tags being filtered out, resulting in a perfectly valid record that also
escalates James's privileges.

[ 118 ]

128 129 130 131 132 133 134 135 136 137 138