XXE and SSRF

OK going through some classics here:

• XXE -> External XML Entities
• SSRF -> Server-Side Request Forgery

We're going to pair these because we can, and will, leverage XXE to gain SSRF.

OK actual XXE

We've done a few of these, quick learn a common web exploit lectures before. Maybe the best way is to start by looking at example payloads that exploit the vulnerability so your mind is tuned, THEN talk about the how.

Inspect the XXE Payload all the things library

Some of those look like this:

Alright, so what's going on?

XML is the same markup language we've been using this whole class for HTML but even MORE abstract.

The world runs on XML, really. So in this case if any server anywhere is accepting XML arguments then there are some fun ways to play around with the extensibility of XML.

Namely we can declare our own sort of XML variables then reference them inside of the payload.

The declarations look like: <!DOCTYPE tagorverb [<!ENTITY varname "VALUE"> ]>

Here are some non cyber explanations of these DTDs (Document Type Definitions): https://www.w3schools.com/xml/xml_dtd.asp

Some gotchas:

• Sometimes you'll need to encode what you receive or decode what you send
• Sometimes you have to carefully put the malicious part in just the right keys
• If you don't have a Dockerfile for your problem then check /etc/passwd as your proof of concept

Live Testing

I didn't spawn up a ninja flag with this, but I did walkthrough the first lab in the portswigger series. So let's do that together as our first XXE:

Solve https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-retrieve-files

SSRF

We talked about this very briefly when we talked reverse shells.

The idea is simple: get their server to make HTTP requests on your behalf

What does that do exactly? Well http requests made from behind their firewall have different permissions than those made outside of their firewall.

Solve https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-perform-ssrf

XXE in other labs

OK let's go. Try websec.fr problem 12. Here are some hints: Use SimpleXMLElement as the class name and number values (0,1,2,...) for param 2. For param 1, try something like: >!DOCTYPE foo [>!ENTITY hi "yoyoyo"< ] < >foo<&hi;>/foo< (which integer works for this payload?). Now replace >!ENTITY hi "yoyoyo"< with something like >!ENTITY hi SYSTEM "php://filter/convert.base64-encode/resource=index.php"< and find an integer value that shows the source code (in base64). Hunt for a payload that solves the problem.

Here is a writeup that uses BOTH exploits to win.

Let's look at the following writeup: https://medium.com/bugbountywriteup/devoops-an-xml-external-entity-xxe-hackthebox-walkthrough-fb5ba03aaaa2