09 Dec 2024
XXE SOC-mas XX-what-ee?XXE - XML External Entity DTD - Document Type Definition More than just calling out document language when coding a page, can also use to ensure certain attributes will always be included moving forward. DTD for address book may be:
<!DOCTYPE people [
<!ELEMENT people(name, address, email, phone)>
<!ELEMENT name (#PCDATA)>
<!ELEMENT address (#PCDATA)>
<!ELEMENT email (#PCDATA)>
<!ELEMENT phone (#PCDATA)>
]>
<!ELEMENT> defines the tags that are allowed, #PCDATA stands for parsed data/plain text. Can call out external files or resources with <!ELEMENT ext SYSTEM "<file-path/as-url/file-name>">.
When a web application processes an XML file with an external entity, the parser tries to load or execute the resource. If not sanitized properly it could reveal sensitive information or be redirected to malicious code.
For this operation, using Burp Suite to intercept requests using the in app browser and the repeater to send command payloads to browse beyond the website.
Primary fix is for devs to disable external entity loading in the xml parser. In PHP this can be done by setting libxml_disable_entity_loader(true) before processing any XML. Secondary is to always validate and sanitize user input. This ensures only expected data is processed. Remove suspicious keywords like /etc/hosts and /etc/passwd from requests.
Find the two flags in the web app.
XXE room.