When evaluating the security of XML based services, one should always consider DTD based attack vectors, such as XML External Entities (XXE) as,for example, our previous post XXE in SAML Interfaces demonstrates.
Phone software for mac. This cheat sheet exposes how to exploit the different possibilities in libraries and software divided in two sections: Malformed XML Documents: vulnerabilities using not well formed documents. Ati radeon hd 4870 for mac pro. Invalid XML Documents: vulnerabilities using documents that do not have the expected structure. XSLT Cheat Sheet Edit Cheat Sheet Output mode xsl:output method='xml' version='1.0'/ xsl:output omit-xml-declaration='yes' indent='yes'/ Drop all empty nodes.
In this post we provide a comprehensive list of different DTD attacks.The attacks are categorized as follows:
Your can also check out our large-scale parser evaluation against DTD attacks.
Last updated on 16. January 2019.
Please contact us if you have any missing vectors!
Last updated on 16. January 2019.
Please contact us if you have any missing vectors!
Testing for Entity Support
If this test is successful and and parsing process is slowed down, there is a high probability that your parser is configured insecurely and is vulnerable to at least one kind of DoS.
Billion Laughs Attack (Klein, 2002)
This file expands to about 30 KByte but has a total of 11111 entity references and therefore exceeds a reasonable threshold of entity references.
Source
Billion Laughs Attack - Parameter Entities (Späth, 2015)
File stored on http://publicServer.com/dos.dtd
Quadratic Blowup Attack
Source
Recursive General Entities
This vector is not well-formed by [WFC: No Recursion].External General Entities (Steuck, 2002)
The idea of this attack is to declare an external general entity and reference a large file on a network resource or locally (e.g. C:/pagefile.sys or /dev/random).However, conducting DoS attacks in such a manner is only applicable by making the parser process a large XML document.
Source
Classic XXE Attack (Steuck, 2002)
We use the file '/sys/power/image_size' as an example, because it is a very simple file (one line, no special characters).
This attack requires a direct feedback channel and reading out files is limited by 'forbidden characters in XML' such as '<' and '&'.
If such characters occur in the accessed file (e.g. /etc/fstab) the XML parser raises an exception and stops the parsing of the message.
Source
XXE Attack using netdoc
Source: @Nirgoldshlager
XXE Attack using UTF-16 (Dawid Golunski)
Some simple blacklisting countermeasures can probably bypassed by changing the default XML charset (which is UTF-8), to a different one, for example, UTF-16The above file can be simply created with a texteditor.
To convert it to UTF-16, you can use the linux tool iconv
# cat file.xml | iconv -f UTF-8 -t UTF-16 > file_utf16.xml
Source, Thanks to @ilmila
XXE Attack using UTF-7
The same trick can be applied to UTF-7 as-well.# cat file.xml | iconv -f UTF-8 -t UTF-7 > file_utf7.xml
Source, Thanks to @ilmila
This class of attacks vectors is called evolved XXE attacks and is used to (i) bypass restrictions of classic XXE attacks and (ii) for Out-of-Band attacks.
Bypassing Restrictions of XXE (Morgan, 2014)
File stored on http://publicServer.com/parameterEntity_core.dtd
Source
Bypassing Restrictions of XXE (Späth, 2015)
File stored on http://publicServer.com/parameterEntity_doctype.dtd
XXE by abusing Attribute Values (Yunusov, 2013)
This vector bypasses [WFC: No External Entity References].File stored on http://publicServer.com/external_entity_attribute.dtd
Source
Error-based XXE using Parameter Entitites (Arseniy Sharoglazov, 2018)
Abusing local-DTD Files XXE (Arseniy Sharoglazov, 2018)
Because external DTD subsets are prohibited within an internal subset, one can use a a locally existing DTD file as follows:
Contents of sig-app_1_0.dtd
Source (also providing a list of local DTD files)
Just because there is no direct feedback channel available does not imply that an XXE attack is not possible.XXE OOB Attack (Yunusov, 2013)
File stored on http://publicServer.com/parameterEntity_oob.dtd
Source
XXE OOB Attack - Parameter Entities (Yunusov, 2013)
Here is a variation of the previous attack using only parameter entities.File stored on http://publicServer.com/parameterEntity_sendhttp.dtd
Source
XXE OOB Attack - Parameter Entities FTP (Novikov, 2014)
Using the FTP protocol, an attacker can read out files of arbitrary length.File stored on http://publicServer.com/parameterEntity_sendftp.dtd
This attack requires to setup a modified FTP server. However, adjustments to this PoC code are probably necessary to apply it to an arbitrary parser.
Source
SchemaEntity Attack (Späth, 2015)
We identified three variations of this attack using (i) schemaLocation, (ii) noNamespaceSchemaLocation and (iii) XInclude.schemaLocation
noNamespaceSchemaLocation
XInclude
File stored onhttp://publicServer.com/external_entity_attribute.dtd
DOCTYPE
External General Entity (Steuck, 2002)
Although it is best to reference a well-formed XML file (or any text file for that matter), in order not to cause an error, it is possible with some parsers to invoke an URL without referencing a not well-formed file.
Source
External Parameter Entity (Yunusov, 2013)
File stored onhttp://publicServer.com/url_invocation_parameterEntity.dtd
Source
XInclude
File stored on
http://publicServer.com/file.xmlschemaLocation
File stored on http://publicServer.com/url_invocation_schemaLocation.xsd
or use this file
noNamespaceSchemaLocation
File stored on http://publicServer.com/url_invocation_noNamespaceSchemaLocation.xsd
If you pentest a web service that supports JSON, you can try to enforce it parsing XML as well.
The example is copied from this Blogpost by Antti Rantasaari.
Given HTTP example request:
It can be converted to enforce using XML by setting the HTTP Content-Type to application/xml:
In this case, the JSON parameters 'name' and 'value' are converted to XML elements '<search>' and '<value>' to be Schema conform to the JSON format.
A root element '<root>' was added around <search> and <value> to get a valid XML document (since an XML document must have exactly one root element).
The XXE attack might also work by simply adding one of the other attack vectors of this blog.
Source
Authors of this Post
Christopher SpäthXslt Cheat Sheet Printable
ChristianMainka (@CheariX)Vladislav Mladenov
🔥Complete Bug Bounty Cheat Sheet🔥
Xslt Cheat Sheet Excel
| 🔥Complete Bug Bounty Cheat Sheet🔥 |
| XSS |
| https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/xss.md |
| https://github.com/ismailtasdelen/xss-payload-list |
| SQLi |
| https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/sqli.md |
| SSRF |
| https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/ssrf.md |
| https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery |
| CRLF |
| https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/crlf.md |
| https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/CRLF%20Injection |
| CSV-Injection |
| https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/csv-injection.md |
| https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/CSV%20Injection |
| Command Injection |
| https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection |
| Directory Traversal |
| https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Directory%20Traversal |
| LFI |
| https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/lfi.md |
| https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion |
| XXE |
| https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/xxe.md |
| Open-Redirect |
| https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/open-redirect.md |
| RCE |
| https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/rce.md |
| Crypto |
| https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/crypto.md |
| Template Injection |
| https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/template-injection.md |
| https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection |
| XSLT |
| https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/xslt.md |
| Content Injection |
| https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/content-injection.md |
| LDAP Injection |
| https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection |
| NoSQL Injection |
| https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection |
| CSRF Injection |
| https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/CSRF%20Injection |
| GraphQL Injection |
| https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/GraphQL%20Injection |
| IDOR |
| https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Insecure%20Direct%20Object%20References |
| ISCM |
| https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Insecure%20Source%20Code%20Management |
| LaTex Injection |
| https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LaTeX%20Injection |
| OAuth |
| https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/OAuth |
| XPATH Injection |
| https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XPATH%20Injection |
| Bypass Upload Tricky |
| https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files |
| BURP |
| https://drive.google.com/file/d/1r1LGt7fEh8AuhihrBfp1GGmU9ttV9CkP/view?usp=sharing |
| https://drive.google.com/file/d/1IOgrVUIQb9HGQG9tePe3v_w2gyaymUFq/view?usp=sharing |
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment