XXE Attacks
Start course
2h 6m

This course puts into practice a lot of the concepts we've covered so far. We'll be using a vulnerable website called Juice Shop to solve a variety of challenges. This will give us opportunity to practice what we have learned so far, and also learn about new techniques and new vulnerabilities as well, such as XX vulnerabilities.


Hi. Within this lecture, we're going to continue covering more challenges in the OWASP Juice Shop. So, we have logged in as administrator user but we haven't actually discovered everything. We haven't tried everything that we can during this section, right? For example when we come over here to complain department or customer feedback or even in the account site, we haven't actually tested anything yet. For example, we have a file upload over here. We don't know if it has a file upload vulnerability, right? So, it's asking for JPAC but maybe we can just give a vividly file and it will work. We don't know it yet, right?

Or in our here like the customer feedback, we haven't even tried to inject excesses over there. So, we have to try everything to see if we can find additional things.

And since we're actually solving challenges, we have sold some challenges and we moved on directly but it doesn't work that way in real life, right? So, what I'm going to do, I'm going to come over here and open a new OWASP Juice Shop thing and go to scoreboard and I'm going to see the XXS Payload that we need to try.

So, for example, we have this iframe over here and what I would do in a real life weapon test to see if this works or not, right? So, let's see what is the as a result over here, so it has to be -2. I'm going to give a random rating and as you can see it got submitted, we don't see any kind of XSS.

But this goes into the administrator dashboard, like we have seen before, maybe we can see that over there. Maybe it won't work, maybe it will work but we have to try all of this stuff, right? For example, if I refresh this as you can see it didn't even work, we see the review over here, we see the feedback over here, it's there so it's working but the XSS is not working but we tried it.

Without trying we wouldn't even know. For example in the complaint section as you can see we can give a complaint, we can try the XSS over here as well, it's asking for an invoice. Maybe we can just give any file that we want over there. So, if you open this you can see the supported types and supported types are the pdf and that zip files, so we cannot do so much with the pdf and that zip files, okay, in this case, but we can try to dig deeper and see if we really can actually upload that files.

So, I'm going to come over here to inspect element and to debugger. So, let's see in the debugger we have the main js. So, let me make it pretty. Okay. And I'm going to search for pdf or .zip files so that I can see if that there are the only types that I can upload here actually.

I'm just searching them to find the related code in the JavaScript code. Okay, so even if you don't know anything about JavaScript, then it's okay. You can just find the related parts of our searching by searching the related terms. In this case, you can search for invoice or zip like that. Okay, for example, we see the type pdf and zip over here and I believe that's not the thing that we're looking for.

if you search it one more time, as you can see, we see a lot low line types and here we have the pdf, the zip, zip compressed but also we have XML as well. So, we see the other times but we have XML over here as well. So, this is very important. We did not know, we can upload XML files before, right? So, now we know that and we can try to exploit that as well. So, if we can upload an XML file, then we can directly go and think about XML external entities. So, let me show you what it means. I'm going to open the in order to show you what it means.

And I'm going to search what I have been searching so far actually. So, we've found everything on this course in real time, okay? And you can do that later on when you need a payload or when you need anything to exploit vulnerabilities. So I'm going to search for XXE payload, even though I have misspelled it. I have written XEE, but it has to be XXE.

Okay. XML external entities. So, just search for a couple of those and just open a couple of those and see if we can get a good thing out of them. Okay. So, there is a tutorial over here as well if you want additional details. But I'm going to make my best to tell you about all of these vulnerabilities. So, as you can see this is again a type of attack and it's against an application that parses an XML input. So, what is XML? It's a markup language like html. But it's a little bit different because we don't only use XML to create pages or create user interfaces, but we can use XML for multi type, multipurpose things. For example, storing information, like creating user interface or creating simple little databases as well, actually. So, if you scroll down a little bit, you can see how it's written and it looks a lot like html.

As you can see it starts with declaring the version and stuff. Okay. And it actually specifies the dog type as well, like we did in the html and then we used tags and closed the tags in order to create some values or in order to create some views. So, in this case, let me find the one that should make sense. As you can see this is a saving the context data and creating a name, phone, and address and zip code and city inside of one single contact, inside of contacts.

Okay. So, it works with tags as we did in the html. So, this is another programming language. Okay, you don't have to learn XML from scratch in order to understand the XXE vulnerabilities. Okay. It wouldn't make sense. Of course, if you want to be an advanced XXE exploiter, then you're more than welcome to learn about everything about the XML. And since I use XML in android development in daily life, I know a lot about it because we create user interfaces with XML in android.

However, as I said before XML is not only for creating user interfaces but also saving data and other purposes as well. So, it's pretty useful. It's a good language to work upon. And as you can see we can do something like this, we can create or actually run system comments with Etsy password, showing the Etsy password like this. So, it's a good starting point for us. So, I believe there are a lot of payloads in the GitHub as well, like you can just use one of them to try and see if this works for you, if this website is vulnerable or not.

So, I'm going to make sure to share these links with you but it really doesn't make sense because you can find it on your own in the Github and you can see a lot of options over there, you don't have to memorize all of this stuff. All you have to do just understand that XXE works with XML and if you submit an XML file to that website you can make it run, the comments or show the files that it's not not supposed to be showing. Okay?

Of course, we can do some kind of confirmation like we did in the previous sections, like if we wanted to learn about the sequel injection confirmation we did AND 1=1 and over here we can do something like the classic XXE's, like maybe we can want to see the Etsy password over here so I'm going to copy this and show you what I mean. Okay, I'm going to come over here to my terminal and I'm going to create a new XML file.

So, I'm going to use gedit for that. If you don't have gedit, if you have GENIE or if you have leafpad, anything that will work fine in this case I'm going to open a test.XML file and paste the thing that we have copied from the website. Okay? So, this is an XML code just to show the Etsy password file. Of course, Etsy password might not work but other files might work.

So, this is not the only way to test this. Okay? Again, you're going to have to test this with a lot of files as we did in the previous sections. So, if I say LS I can see test.xml is created for me. Now what I'm going to do, I'm going to just upload this to the invoice section over here so I'm gonna browse down but I believe we cannot see the XML files because it's always showing the old supported types. You're going to have to make it all files and it has a filter but filter has XML as well.

So, I'm going to choosetest.XML and it won't get caught in the filter. So, if I say submit, here you go. Now, we managed to solve this challenge. So, as you can see, you can use XML files to exploit this XXE vulnerabilities and it may get actually very serious in some cases. So, you may get rewarded by finding these vulnerabilities as well. So, in this case, if you want to see the Etsy password, you can just use the Burp suite to see the responses but because it's not showing there but it's not really important, we have seen the XXE before.

Okay, and the challenge name I believe is to use a deprecated B to B interface. In this case, because they forgot to shut down the XML entity thing in that service but again, this is an XXE vulnerability. Okay? Not anything else. And by mistake, we have assault one of the two stars, I believe, rather than three stars. But it really doesn't matter. We're not here to collect stars.

We're here to learn about XXE and other attacks. So, that's it for the XXE right now. We're going to move forward and try to find solutions. A couple of more solutions in the three stars as well. So, I'm going to close all of distinct and open the three stars and move on from here. So, let's meet in the new lecture.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.