XXE vulnerability

[scw-examples]

Description

A security researcher identified an XXE vulnerability in the cloudjumper servlet on cloudjumper.example.com which discloses local files to an external attacker and allows web requests to be sent. This aligns to https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

In addition to local file read, it was confirmed through testing that if "file:///etc/passwd" is replaced with a URL, the servlet will make external requests and that it has outbound access to the internet. This may be a SSRF risk.

Depending on the trust relationships afforded to this host, XXE can be a viable candidate for pivoting to other related hosts It can be used to disclose sensitive files such as certificates and source from the target. This could expose some of the restricted functionality and capabilities of this host to the attacker.

Recommended Fix

If the servlet is not in use, remove it from the server. If it is in use, reduce the functionality of the XML parser such that entities are not resolved, outbound network traffic is disallowed and parameter expansion is disabled.

[secure-code-warrior-for-github]

Micro-Learning Topic: External entity injection (Detected by phrase)

Matched on "XXE"

What is this? (2min video)

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server-side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Try this challenge in Secure Code Warrior

Micro-Learning Topic: Server-side request forgery (Detected by phrase)

Matched on "SSRF"

What is this? (2min video)

Server-Side Request Forgery (SSRF) vulnerabilities are caused when an attacker can supply or modify a URL that reads or sends data to the server. The attacker can create a malicious request with a manipulated URL, when this request reaches the server, the server-side code executes the exploit URL causing the attacker to be able to read data from services that shouldn't be exposed.

Try this challenge in Secure Code Warrior