XXE

Hi there!,

In this category, I will be writing about the topics that I explored/learn in Null-Web-Study-Group.

How did I end up in this Group.

I saw a post from the null-The Open Security Community group about Web Security study group on Linkedin and after reading the information provided in the google form, I filled the google form cause of my interest in security domain.

About the group

Mentor: Dhruv Shah (@Snypter)

Hosted/Managed By: Kumar Ashwin (@0xCardinal)

Pattern

In every two week, We suggest the topics that we are interested in exploring/learning more and based on the everyone’s interest, one topic gets finalized.

Every Week, We have a meeting mostly on Sunday. We mostly discuss/ask our doubts that we have related to the topic that is going on.

First Topic - XXE

Resources

• https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection.html
  (OWASP Ref)

• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20Injection
  (Nice Repo on collection of XXE payloads)

• https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/
  (Exploiting XXE with local DTD files by Arseniy Sharoglazov)

• https://staaldraad.github.io/2016/12/11/xxeftp
  (For Setting up the FTP Server for OOB Attacks)

Labs

• https://portswigger.net/web-security/xxe
  (Portswigger labs)

• https://gosecure.github.io/xxe-workshop/#0
  (Nice and Advanced Labs by GoSecure team)

• https://github.com/jbarone/xxelab
  (Simple XXE lab built on PHP)

Tips

By @Zseano

Set a match-replace on BurpSuite to change all Content-Type:application/json to Content-Type:application/xml. Now browse the website as normal and yes a lot of features may not work, but go check for any XML errors on burp.

Ref: https://www.bugbountyhunter.com/mobile/tutorial?type=xxe

Code Review

In PHP, the function libxml_disable_entity_loader (false) is vulnerable to XXE till PHP 8.0.

Set it to true (libxml_disable_entity_loader(true)) for not loading the external entity.

In PHP 8.0 and later, PHP uses libxml versions from 2.9.0, which disabled XXE by default.

libxml_disable_entity_loader() is now deprecated.

Ref: https://bit.ly/3sByiLp (php.watch Website)

Feel free to drop any suggestions via my social handles.
Thanks for reading !!!.