In this post, I will peel back the layers of XXE (XML External Entity) injections, exploring their mechanisms and impacts on application security. We’ll dig deep into how this pervasive vulnerability can be exploited, specifically focusing on a scenario involving file uploads. I shall break down the intricate process of XXE exploitation, and shed light on preventative measures and best security practices to counteract such attacks. The goal of this post is to equip you with a robust understanding of the XXE threat landscape, along with practical knowledge to help strengthen your application security strategies.
XML External Entity or XXE, is a type of security vulnerability that primarily affects applications parsing XML inputs. An XXE vulnerability arises when the XML parser doesn’t conduct input validation and indiscriminately processes any instructions it receives. This lapse allows an attacker to view files on the application server’s file system and interact with any backend system or application. Furthermore, XXE can also be utilized to perform SSRF (Server Side Request Forgery) against backend systems, thereby amplifying the potential threat.
Diverse XXE Attack Types
XXE attacks come in various forms, with the following being some of the most common ones:
- XXE exploited to retrieve files from the server.
- XXE leveraged to perform SSRF on backend systems.
- Blind XXE used for out-of-band data exfiltration.
For the purposes of this discussion, our primary focus will be on utilizing XXE to retrieve files from the server.
XXE Exploitation via File Upload using SVG
One of the most common attack scenarios involves using XXE to retrieve files from a system. Now, let’s turn our attention to a scenario where an application allows users to upload SVG (Scalable Vector Graphics) files. SVG files, which define graphics in XML format, create a multitude of attack scenarios. One such scenario includes exploiting XXE vulnerabilities. If there’s no server-side verification of content or commands when an SVG image is uploaded from the client side, an attacker can potentially execute malicious commands to extract internal details, such as fetching the “/etc/passwd” file.
To illustrate, let’s craft a request to fetch the “/etc/passwd” file from the server.
Crafting a Malicious SVG File
To create a malicious SVG file, we start by defining the XML version. Next, we can include our custom payload along with some attributes such as height, width, and font size. Below is an example payload:
<?xml version="1.0" standalone="yes"?> <!DOCTYPE foo [ <!ENTITY fetch SYSTEM "file:///etc/passwd">]> <svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"> <text font-size=“23" x=“8" y=“28">&fetch;</text> </svg>
This payload includes an ENTITY instruction that attempts to fetch the contents of “/etc/passwd” from the server. Additionally, it contains a text element, which determines the font size of the characters fetched. In most systems you can obivously modify the font size as required.
from the “/etc/passwd” file. It’s crucial to adjust the font size according to the specific situation as illegible text can hinder the execution of the attack. Once the file is ready, it can be saved as “image.svg” and uploaded.
Exploitation in Action
After uploading the file to an application without sufficient validation, inspecting your uploaded SVG will reveal the contents of the “/etc/passwd” file, thus demonstrating successful exploitation of the XXE vulnerability.
Ensuring secure file uploads is a fundamental aspect of maintaining the security integrity of your application. If your application enables users to upload image files, one of the initial security measures you should consider is whitelisting only the required file extensions.
Whitelisting involves specifying a list of acceptable file extensions that users are allowed to upload, thereby limiting the types of files that can be uploaded to your application. This is a critical security practice, as it helps prevent attackers from uploading potentially malicious files that could compromise your system. For example, only allowing file extensions such as “.jpg”, “.png”, or “.gif” for image uploads can prevent attackers from uploading script files or executables that could be used to exploit vulnerabilities in your application.
On the other hand, if your application needs to accept SVG (Scalable Vector Graphics) files due to business requirements, additional precautions should be taken. SVG files define graphics in XML format, which opens potential attack vectors such as the execution of XXE (XML External Entity) attacks, as detailed earlier in this article.
In this case, you should consider implementing stringent restrictions and validation mechanisms to prevent unvalidated processing of instructions contained in these files. This could involve, for instance, deploying XML parsers configured to disable the processing of DTDs (Document Type Definitions), a key factor in XXE attacks.
Moreover, server-side validation is essential, despite any client-side checks. Never rely solely on client-side validation because it can be easily bypassed. A robust server-side validation process will further ensure that only safe and expected content is allowed through, increasing your application’s resilience against XXE attacks.
Implementing content scanning and file type verification can also enhance your security posture. Scanning uploaded files for known malicious patterns and verifying that the file’s content matches its stated file type can help detect and block harmful uploads.
tldr; managing file uploads securely requires a balance between user functionality and security. Whitelisting necessary file extensions, employing robust server-side validation, and implementing additional restrictions for SVG files are essential practices to mitigate the risks associated with file uploads.
Want more? For further information on XXE vulnerabilities, I’d recommend checking out PortSwigger’s comprehensive guide on XXE which also has some awesome labs to get your hands dirty in.
Understanding and mitigating XXE vulnerabilities is a crucial aspect of ensuring the security of Web Applications. As I’ve demonstrated in this post, a seemingly innocuous function like file upload can be exploited to create substantial security risks. With thorough awareness and proactive remediation strategies, it’s possible to minimize these risks and protect your applications effectively.
Check out our new Discord Cyber Awareness Server. Stay informed with CVE Alerts, Cybersecurity News & More!
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.