Skip to main content

Unauthenticated: XXE Edition

Welcome to another installment of Unauthenticated! 

In this post, we will look at a recent web application penetration test where an XML external entity (XXE) expansion vulnerability was exploited without authenticating to the web application, resulting in a potential denial-of-service (DoS) condition on the webserver.

XXE Attacks

XXE attacks take advantage of issues in how an application processes XML data. Depending on how the application handles malicious XML, XXE attacks can allow an attacker to view files on the affected server, compromise the server through remote code execution, or cause DoS conditions on the server.

My coworker led a Hack The Box Meetup on the subject if you would like to learn more – XXE INJECTION Deep Dive with @0xTib3rius

The PortSwigger Web Security Academy has an excellent training section on the topic as well.

Exploitation

The web application for this engagement was relatively simple, functionality was mostly limited to querying information for a specified user. 

Both the application requests and responses were formatted in XML, which opened up the potential for XXE injection attacks.

Burp Suite was kind of enough to point out that certain tags the XML requests were vulnerable to an XXE expansion attack, which has the potential to cause DoS conditions on the web server.

The XXE expansion attack involves the following steps:

  • Define multiple entities in the document type declaration (DTD) of the XML document in the web request
  • Each entity references previously defined entities (can reference any number of entities)
  • The last entity is referenced within the XML document
  • When the last entity within the XML document is parsed by the application, the malicious entities are recursively expanded 
  • If there are no controls to limit the expansion and enough entities are defined, the recursive expansion can use an exponential amount of space in memory on the server and cause a DoS condition 

A famous example of this attack is called the billion laughs attack. Unfortunately, but understandably, the client did not allow us to attempt the billion laughs attack 🙁 

However, we were allowed to perform the following proof-of-concept to demonstrate the potential risk by creating a less destructive XXE payload, expanding 512 times rather than a billion:

  • 10 entities were defined with each entity referencing only one prior entity
  • entity0 (the first entity) contains the text “WhiteOakSecurity” 
  • entity9 (the last entity) is defined within the XML document
Malicious web request to exploit XXE expansion vulnerability code screenshot by White Oak Security

Below is the server response showing that the XXE payload was detonated. All 10 entities are recursively expanded when entity9 in the XML document was parsed, writing “WhiteOakSecurity” 512 times.

This screenshot of code in the white oak security blog shows Server response showing that the XXE payload was detonated, writing "WhiteOakSecurity" 512 times

Authentication Issues

A major aspect of conducting web application penetration tests is to look for authentication and authorization security issues. With authentication being the process of verifying a user’s identity, and authorization being the process of verifying what resources and functionality a user has access to. 

One common test case to perform on a web application penetration test is to verify that authentication is a requirement to interact with web application functionality, as an unauthenticated user should not be authorized to interact with much of the web application beyond the login page.

We were able to exploit the XXE attack described above without authenticating to the application, as noted by the missing session cookies and other header information in the malicious request below:

White oak screen captures the Unauthenticated XXE expansion payload with authentication headers removed

The server response below shows that our unauthenticated XXE payload was recursively expanded by the XML parser: 

This white oak screenshot of code explains the Server response showing that the unauthenticated XXE payload was detonated

An attacker with knowledge of this vulnerability has the ability to take down, at will, a potentially critical piece of business infrastructure without needing to authenticate. 

If authentication was properly implemented, the vulnerability would still exist but an attacker would at least be presented with the barrier of having to compromise a user account before being able to discover the vulnerability.

Closing

To prevent XXE vulnerabilities in particular, OWASP recommends disabling external entities and DTDs from being processed by XML parsers in your application.  

Properly implementing authentication and authorization on the other hand is a challenge, but it is critical to the security of every web application. Unfortunately, there is no standardized method to do so as every web application is different. 

The best course of action to identify authentication and authorization issues is to regularly perform manual testing and verification, through both your internal Quality Assurance processes and third-party application penetration tests such as those offered by White Oak Security.

MORE FROM WHITE OAK SECURITY

White Oak Security is a highly skilled and knowledgeable cyber security testing company that works hard to get into the minds of opponents to help protect those we serve from malicious threats through expertise, integrity, and passion. 

Read more from White Oak Security’s pentesting team.