Welcome to another installment of Unauthenticated!
In this post, we will look at a recent web application penetration test where an XML external entity (XXE) expansion vulnerability was exploited without authenticating to the web application, resulting in a potential denial-of-service (DoS) condition on the webserver.
XXE attacks take advantage of issues in how an application processes XML data. Depending on how the application handles malicious XML, XXE attacks can allow an attacker to view files on the affected server, compromise the server through remote code execution, or cause DoS conditions on the server.
My coworker led a Hack The Box Meetup on the subject if you would like to learn more – XXE INJECTION Deep Dive with @0xTib3rius
The PortSwigger Web Security Academy has an excellent training section on the topic as well.
The web application for this engagement was relatively simple, functionality was mostly limited to querying information for a specified user.
Both the application requests and responses were formatted in XML, which opened up the potential for XXE injection attacks.
Burp Suite was kind of enough to point out that certain tags the XML requests were vulnerable to an XXE expansion attack, which has the potential to cause DoS conditions on the web server.
The XXE expansion attack involves the following steps:
A famous example of this attack is called the billion laughs attack. Unfortunately, but understandably, the client did not allow us to attempt the billion laughs attack 🙁
However, we were allowed to perform the following proof-of-concept to demonstrate the potential risk by creating a less destructive XXE payload, expanding 512 times rather than a billion:
Below is the server response showing that the XXE payload was detonated. All 10 entities are recursively expanded when entity9 in the XML document was parsed, writing “WhiteOakSecurity” 512 times.
A major aspect of conducting web application penetration tests is to look for authentication and authorization security issues. With authentication being the process of verifying a user’s identity, and authorization being the process of verifying what resources and functionality a user has access to.
One common test case to perform on a web application penetration test is to verify that authentication is a requirement to interact with web application functionality, as an unauthenticated user should not be authorized to interact with much of the web application beyond the login page.
We were able to exploit the XXE attack described above without authenticating to the application, as noted by the missing session cookies and other header information in the malicious request below:
The server response below shows that our unauthenticated XXE payload was recursively expanded by the XML parser:
An attacker with knowledge of this vulnerability has the ability to take down, at will, a potentially critical piece of business infrastructure without needing to authenticate.
If authentication was properly implemented, the vulnerability would still exist but an attacker would at least be presented with the barrier of having to compromise a user account before being able to discover the vulnerability.
To prevent XXE vulnerabilities in particular, OWASP recommends disabling external entities and DTDs from being processed by XML parsers in your application.
Properly implementing authentication and authorization on the other hand is a challenge, but it is critical to the security of every web application. Unfortunately, there is no standardized method to do so as every web application is different.
The best course of action to identify authentication and authorization issues is to regularly perform manual testing and verification, through both your internal Quality Assurance processes and third-party application penetration tests such as those offered by White Oak Security.