Analysis of Different Types of DTD/XXE attacks

Source: Internet
Author: User
Tags xslt ftp protocol

Analysis of Different Types of DTD/XXE attacks

 


 

When evaluating the security of XML-based services, you cannot forget the DTD-based attacks, such as XML external entity injection attacks (XXE ).

In this article, we will provide a comprehensive list of attacks against different types of DTD.

Attacks are classified as follows:

Denial of Service Attack (DDoS)

Basic XXE attacks

Advanced XXE attacks

Server Request Forgery (SSRF)

XML inclusion mechanism (XInclude)

Extended style sheet conversion language (XSLT)

Denial of Service (DDoS) supports entity testing:

  
  
  ]>&a2;
  
  
  

If the parsing process changes very slowly, the test is successful, that is, the target parser configuration may be vulnerable to at least one DDoS attack.

Billion Laughs attack (Klein, 2002)

Note: "Billion Laughs" attack-generate a Billion "Ha!" In memory by creating a recursive XML definition !" String, resulting in DDoS attacks. The principle is: Construct malicious XML entity files to exhaust available memory, because many XML Parser tends to keep its entire structure in memory when parsing XML documents.


  
  
  
  ]>&a4;
  
  
  
  

This file is only 30 Kb in size, but has 11111 entity references, which exceeds the maximum number of valid entity references.

Source

Billion Laughs attack-parameter entity (Sp? Th, 2015)
]>&g;

File located: http://publicServer.com/dos.dtd


  
  
  
  
  
  
  
  
  
  
  
  
XML second cracking DDoS Attack
&a0;&a0;...&a0;

Source

General entity Recursion

It is best not to use Recursion-[WFC: No Recursion]


  ]>&a;
  
External entity (Steuck, 2002)

This attack is performed by declaring an external entity and then referencing a large file (for example, C:/pagefile. sys or/dev/random) located online or locally ).

However, this attack only allows the parser to parseHuge XML file.

]>&dos;

Source

Basic XXE attacks (Steuck, 2002)

  ]>&file;
  

Take the file '/sys/power/image_size' as an example, because it is very short and has only one line and does not contain special characters.

This type of attack requires a direct feedback channel and the access to files is restricted by prohibited characters in XML, such as "<" and "&".

If these banned characters appear in the file to be accessed (for example,/etc/fstab), the XML Parser throws an error and stops parsing.

Source

XXE attack using netdoc

  ]>&file;
  

Source: @ Nirgoldshlager

Advanced XXE attack-direct feedback channel

These attacks are advanced XXE attacks used to bypass restrictions on basic XXE attacks and OOB (out-of-band data) attacks.

Attackers can bypass the limitations of XXE attacks (Morgan, 2014)

  
  
  
  %dtd;]>&all;
  
  
  
  

File located: http://publicServer.com/parameterEntity_core.dtd


  
  

Source

XXE attacks that abuse attribute values
%remote;]>

File located: http://publicServer.com/external_entity_attribute.dtd


  
  %param1;
  
  

Source

Advanced XXE attack-OOB data (OOB) Channel

There is no channel for direct return, which does not mean there is no XXE attack.

Xxe oob attack (Yunusov, 2013)
&send;

File located: http://publicServer.com/parameterEntity_oob.dtd


  
  %all;
  
  

Source

Xxe oob attack-parameter entity (Yunusov, 2013)

The difference is that only parameter entities are used.

%remote;%send;]>4

File located: http://publicServer.com/parameterEntity_sendhttp.dtd


  
  %param1;
  
  

Source

Xxe oob attack-parameter entity FTP (Novikov, 2014)

Using the FTP protocol, attackers can read files of any length.

%remote;%send;]>4

File located: http://publicServer.com/parameterEntity_sendftp.dtd


  
  %param1;
  
  

For this attack, you need to configure the FTP server. However, this POC code can be used on any parser with slight adjustments.

Source

SchemaEntity attack (Sp? Th, 2015)

There are three different attack methods: (I) schemaLocation, (ii) noNamespaceSchemaLocation, and (iii) XInclude.

SchemaLocation
%remote; ]>
  
   4
  
NoNamespaceSchemaLocation
%remote; ]>
XInclude
%remote; ]>
   

File located: http://publicServer.com/external_entity_attribute.dtd


  
  %param1;
  
  
SSRF attack DOCTYPE
]>4
External entity (Steuck, 2002)

  ]>&remote;
  

Although it is best to reference a well-formed XML file (or any text file) to avoid errors, some Resolvers may still call files with incorrect URL reference formats.

Source

External parameter entity (Yunusov, 2013)

  %remote; ]>4
  

File located: http://publicServer.com/url_invocation_parameterEntity.dtd


  
  

Source

XInclude

   

File located: http://publicServer.com/file.xml

it_works
SchemaLocation

  
   4
  

File located: http://publicServer.com/url_invocation_schemaLocation.xsd


    
   
  

Or use this file.


   
   
  
NoNamespaceSchemaLocation
4

File located: http://publicServer.com/url_invocation_noNamespaceSchemaLocation.xsd


   
   
  
XInclude attack (Morgan, 2014)

   

Source

XSLT attacks

     
    
   
  

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.