Home > Cloud Computing > Cloud Security

Analysis of Different Types of DTD/XXE attacks

Source: Internet
Author: User
Tags xslt ftp protocol
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Analysis of Different Types of DTD/XXE attacks

 


 

When evaluating the security of XML-based services, you cannot forget the DTD-based attacks, such as XML external entity injection attacks (XXE ).

In this article, we will provide a comprehensive list of attacks against different types of DTD.

Attacks are classified as follows:

Denial of Service Attack (DDoS)

Basic XXE attacks

Advanced XXE attacks

Server Request Forgery (SSRF)

XML inclusion mechanism (XInclude)

Extended style sheet conversion language (XSLT)

Denial of Service (DDoS) supports entity testing: 

  
  
  ]>&a2;

If the parsing process changes very slowly, the test is successful, that is, the target parser configuration may be vulnerable to at least one DDoS attack.

Billion Laughs attack (Klein, 2002)

Note: "Billion Laughs" attack-generate a Billion "Ha!" In memory by creating a recursive XML definition !" String, resulting in DDoS attacks. The principle is: Construct malicious XML entity files to exhaust available memory, because many XML Parser tends to keep its entire structure in memory when parsing XML documents.


  
  
  
  ]>&a4;

This file is only 30 Kb in size, but has 11111 entity references, which exceeds the maximum number of valid entity references.

Source

Billion Laughs attack-parameter entity (Sp? Th, 2015) 
]>&g;

File located: http://publicServer.com/dos.dtd
XML second cracking DDoS Attack 
&a0;&a0;...&a0;

Source

General entity Recursion

It is best not to use Recursion-[WFC: No Recursion]


  ]>&a;
External entity (Steuck, 2002)

This attack is performed by declaring an external entity and then referencing a large file (for example, C:/pagefile. sys or/dev/random) located online or locally ).

However, this attack only allows the parser to parseHuge XML file.

]>&dos;

Source

Basic XXE attacks (Steuck, 2002) 

  ]>&file;

Take the file '/sys/power/image_size' as an example, because it is very short and has only one line and does not contain special characters.

This type of attack requires a direct feedback channel and the access to files is restricted by prohibited characters in XML, such as "<" and "&".

If these banned characters appear in the file to be accessed (for example,/etc/fstab), the XML Parser throws an error and stops parsing.

Source

XXE attack using netdoc 

  ]>&file;

Source: @ Nirgoldshlager

Advanced XXE attack-direct feedback channel

These attacks are advanced XXE attacks used to bypass restrictions on basic XXE attacks and OOB (out-of-band data) attacks.

Attackers can bypass the limitations of XXE attacks (Morgan, 2014) 

  
  
  
  %dtd;]>&all;

File located: http://publicServer.com/parameterEntity_core.dtd

Source

XXE attacks that abuse attribute values 
%remote;]>

File located: http://publicServer.com/external_entity_attribute.dtd


  
  %param1;

Source

Advanced XXE attack-OOB data (OOB) Channel

There is no channel for direct return, which does not mean there is no XXE attack.

Xxe oob attack (Yunusov, 2013) 
&send;

File located: http://publicServer.com/parameterEntity_oob.dtd


  
  %all;

Source

Xxe oob attack-parameter entity (Yunusov, 2013)

The difference is that only parameter entities are used.

%remote;%send;]>4

File located: http://publicServer.com/parameterEntity_sendhttp.dtd


  
  %param1;

Source

Xxe oob attack-parameter entity FTP (Novikov, 2014)

Using the FTP protocol, attackers can read files of any length.

%remote;%send;]>4

File located: http://publicServer.com/parameterEntity_sendftp.dtd


  
  %param1;

For this attack, you need to configure the FTP server. However, this POC code can be used on any parser with slight adjustments.

Source

SchemaEntity attack (Sp? Th, 2015)

There are three different attack methods: (I) schemaLocation, (ii) noNamespaceSchemaLocation, and (iii) XInclude.

SchemaLocation 
%remote; ]>
  
   4
NoNamespaceSchemaLocation 
%remote; ]>
XInclude 
%remote; ]>

File located: http://publicServer.com/external_entity_attribute.dtd


  
  %param1;
SSRF attack DOCTYPE 
]>4
External entity (Steuck, 2002) 

  ]>&remote;

Although it is best to reference a well-formed XML file (or any text file) to avoid errors, some Resolvers may still call files with incorrect URL reference formats.

Source

External parameter entity (Yunusov, 2013) 

  %remote; ]>4

File located: http://publicServer.com/url_invocation_parameterEntity.dtd

Source

XInclude

File located: http://publicServer.com/file.xml

it_works
SchemaLocation 

  
   4

File located: http://publicServer.com/url_invocation_schemaLocation.xsd

Or use this file.
NoNamespaceSchemaLocation 
4

File located: http://publicServer.com/url_invocation_noNamespaceSchemaLocation.xsd
XInclude attack (Morgan, 2014)

Source

XSLT attacks

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
common types of ddos attacks different types of bundles different types of chromebooks different types of arrays different types of hash different types of heaps different types of loads
Related Article
How does personal cloud security guarantee data security?
Model-driven cloud security-automating cloud security with cl...
Cloud security to achieve effective prevention of the future ...
Focus on three major cloud security areas, you know?
Decrypting Cisco type 5 password hashes
Using redis to write webshell

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More