How to find and exploit XML External Entity Injection (Part-2)
Hello everyone, my name is Vineet Singh and this is the second part of our XML External Entity series. In this post, we are going to know about how to find and exploit XML External Entity Injection. If you had not read the first part of this series (https://securiumsolutions.org/xml-external-entity-injection-xxe), please read it first, in the first part we have discussed what exactly XML External Entity Injection is, its different types, how it arises in web applications, and finally how to prevent it. In this post, I am going to use a lab provided by portswigger to explain how to find and exploit XML External Entity Injection. So let’s get started with practical.
Whenever a web application uses XML to transport data to the server from the client, there is a chance of XML External Entity Injection. So here we can say that the first step to finding XML External Entity Injection is to look for an endpoint that takes user input and transport the given data to the server by using XML. After that our second step will be to capture the HTTP request into proxy and tamper with the parsed XML data. Now let’s do the lab.
Exploit XML External Entity to retrieve files
In this lab, we will try to exploit the XML External Entity and retrieve the internal files from the application server’s filesystem.
There is a shopping website, which has several items listed for sale see the given screenshot.
When we click on “View details” of any product listed out there, it will redirect us to a details page of that product. Here we can see there is an option to check stocks of that product. See the given screenshot.
When we click on that “check stock” button it will display the available stocks of that product. Now we will go to capture the HTTP request by using burpsuite ( you can use any other proxy if you want ). Click again on the “check stock” button and this time capture the HTTP request into burp, send this captured request into the repeater tab so we can perform detailed analysis on this HTTP request. Now see the captured HTTP request, website is using XML to send the product id to the server from the client so that server can check the database for available stocks and send it back to the client. As I mentioned above the first step is to find the endpoint which takes user input and transports the given data to the server by using XML. Here we have completed our first step now let’s move to the second step. We have to make changes in the parsed XML data so that we can successfully execute our XML External Entity attack and can read the internal files of the server. To do that we have to add an external entity into parsed XML data.
Copy the below XML code and paste it into that http request
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd">]>
In that XML code, we are trying to read “/etc/passwd” file of the Linux system.
Now send that modified HTTP request and see the response. In response, we will get the data of, etc/passwd file. So here we successfully exploited XML External Entity to retrieve files from the application server.
Exploiting XML External Entity to perform Server-Side request Forgery (SSRF)
Now we will see how we can perform Server Side Request Forgery (SSRF) through XML External Entity (XXE). For this, we use portswigger lab.
This lab is the same as the previous one it has an eCommerce website and “check stock” feature that parses XML input and returns any unexpected values in the response.
The objective of this lab: The lab server is running a (simulated) EC2 metadata endpoint at the default URL, which is http://169.254.169.254/. This endpoint can be used to retrieve data about the instance, some of which might be sensitive. To solve the lab, exploit the XXE vulnerability to perform an SSRF attack that obtains the server's IAM secret access key from the EC2 metadata endpoint.
Exploitation: We have to capture the check stock HTTP request and send it to repeater. Now the next step is to add external entity into XML data, Insert the following external entity definition in between the XML declaration and the stockCheck element:
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "http://169.254.169.254/"> ]>
Send this request and see the response, in response we will get an Invalid product ID followed by a folder name. Iteratively update the URL in the DTD to explore the API until you reach /latest/meta-data/iam/security-credentials/admin. This should return JSON containing the SecretAccessKey. See the given screenshot.
Thanks for reading this post, hope you liked it and learned something from it.
Web Application Security Intern