Some of us, neophytes in security vulnerabilities, underestimate the damage XXE attacks can cause to a system. DoS attacks, sensitive data leaks, or server side forgery requests are only some of the threats that systems with XXE vulnerabilities are exposed to. Before we dive deeper into security aspects and attack types, it is important to understand what DTD based attack vectors are and how they affect our systems.
XML( eXtensible Markup Language) is a common technology used by a wide range of software. XML is used to define and validate document structure by means of document type definitions (DTDs) and schemas. When configured and used incorrectly, DTDs increase the vulnerability of those apps that use XML, leaving them open to malicious DTD attacks that can have severe consequences. Below you can find a list of the most notorious
Types of DTD Attacks
Denial-of-Service (DoS) Attacks
DoS attacks can be defined in terms of explicit attempts by criminals to prevent legitimate users from accessing a service. Generally, DoS attacks aim either at completely crashing a service or flooding it to overload the system. In most cases, legitimate users are not even aware that are being the victims of a DoS attack.
Luckily, VPNs are an excellent defensive tool against DoS attacks. The use of a VPN will ensure that your IP address remains hidden to prying eyes. Since cyber criminals are not able to see your real IP address, your network connection can’t be flooded with traffic.
Use the information in the following image below to test if your parser is configured securely.
Data to Test Parser Security
If the test is successful and it slows down the parsing process, then your system is vulnerable to DoS attacks.
Below you will find a list of the most frequent DoS attacks you could become a victim of.
Most Frequent Denial of Service Attacks
Billions Laugh Attack
The attacker will be able to read the sensitive data that is present on the server and scan ports to look for open ones on backend systems, which could then be used to exploit systems on your network.
Billion Laughs Attack – Parameter Entities
Quadratic Blowup Attack
When executed, a Quadratic Blowup Attack can take down a whole server or an entire website in a matter of seconds. It has been discovered recently that WordPress and Drupal websites are
vulnerable to this type of attack unless there have been specific steps taken to defend against the Quadratic Blowup Attack.
Recursive General Entities
External General Entities
Classic XXE
XXE Injection attacks target applications that parse XML input. Though it may look harmless if compared to other attack vectors such as Cross-Site Request Forgery (CSRF), an XXE Injection attack can extract sensitive data, access system files, steal source code, or get directory listings.
Classic XXE Attack Examples
Classic XXE Attack
XXE Attack using netdoc
XXE Attack using UTF-16
XXE Attack using UTF-7
Advanced XXE
Known as evolved XXE attacks, these attack vectors were created to bypass the restrictions of the classic XXE attacks, enabling attackers to disclose the protected files from a connected network or server. Here are the main types of Advanced XXE attacks:
Advanced XXE Attacks when there is a Direct Feedback Channel
Bypassing Restrictions of XXE – Morgan, 2014
Bypassing Restrictions of XXE – Späth, 2015
XXE by abusing Attribute Values – Yunusov, 2013
Evolved XXE Attacks with Out-of-Band channels
XXE OOB Attack – Yunusov, 2013
XXE OOB Attack using Parameter Entities – Yunusov, 2013
XXE OOB Attack using Parameter Entities FTP – Novikov, 2014
Schema Entity Attack – Späth, 2015
There are three versions of the Schema Entity Attack, which are noted below with examples of each attack.
-
schemaLocation
-
noNamespaceSchemaLocation
-
XInclude
Server-Side Request Forgery (SSRF)
SSRF (Server Side Request Forgery) attacks allow cyber criminals to send crafted requests from vulnerable web apps, targeting internal systems that are protected by a firewall and are normally inaccessible from external networks. The attacker will thus have full – or partial -control of the sent request. The attacker will be able to accomplish the following list of items if the attack is successful. Each of the items in the list below provide useful information to an attacker, which would either accomplish gaining access to the information they are looking for or would provide information that would assist towards their end goal.
- Bypass IP whitelisting
- Scan the internal networks to which the servers are connected
- Bypass host-based authentication services
- Read resources that are not accessible to the public, such as trace metadata APIs or .axd in ASP.NET
- Read the files from the web server
- Retrieve sensitive information, which might include the IP address of web servers located behind reverse proxies
- Interact with sensitive API’s as the web server
Some of the most common SSRF or Server Side Request Forgery attacks are detailed below.
SSRF DOCTYPE
SSRF External General Entity – Steuck, 2002
SSRF External Parameter Entity – Yunusov, 2013
SSRF XInclude
SSRF schemaLocation
SSRF schemaLocation Second Example
SSRF noNamespaceSchemaLocation
XInclude Attacks – Morgan, 2014
An XML Inclusion attack offers attackers the possibility to load and include an external file. The most common XInclude attacks are shown in the examples listed below.
XSLT
We are talking about a Turing complete language! So make sure you NEVER process XSLT codes from untrusted or unknown sources. XSLT processors allow users to interact with external sources in a wide variety of ways, including access to JRE objects, read/write access to file system, or scripting with Jython.
Are cybersecurity experts ready to face Document Type Declaration(DTD) Attacks?
DTD attacks have made it into OWASP’s Top 10 List, a list which is based on the expert opinion of leading cybersecurity experts and whose purpose is to create public awareness regarding web application security. DTD attacks have made it onto this list for serious reasons, which include sensitive data leaks, DoS attacks, and SSRF attacks.
