Skip to content
This repository was archived by the owner on May 14, 2020. It is now read-only.
This repository was archived by the owner on May 14, 2020. It is now read-only.

XML eXternal Entity #1319

Closed
Closed
XML eXternal Entity#1319
@theMiddleBlue

Description

@theMiddleBlue
theMiddleBlue
opened on Mar 5, 2019

during the last chat meeting, we talked about creating one or more rules to handle XXE attacks. I'm quite near to a PR, I just want to share with you some topics. I'm trying to cover:

Questions

before opening a new PR:

  • Should this be included in a new rule file? something like REQUEST-...-APPLICATION-ATTACK-XXE.conf?
  • if yes, 495000 can be a good numbering?
  • if not, any suggestion about where to add them?
  • I'm planning to block specific usage of SYSTEM "<wrapper-list>://..." in PL1, what do you think about completely deny !ENTITY tag in PL3 for example?

Example rule

SecRule REQUEST_BODY "@rx <!ENTITY\s+[^\s]+\s+SYSTEM\s+['\"](?i:file|http|https|ftp|php|zlib|data|glob|phar|ssh2|rar|ogg|expect|zip)://" \
        "id:945020,\
        phase:2,\
        t:none,t:compressWhitespace,\
        log,\
        msg:'XML eXternal Entity: Local or Remote file inclusion',\
        logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
        tag:'application-multi',\
        tag:'platform-multi',\
        tag:'attack-xxe',\
        tag:'OWASP_CRS/WEB_ATTACK/XXE',\
        tag:'WASCTC/WASC-43',\
        tag:'OWASP_TOP_10/A4',\
        tag:'paranoia-level/1',\
        ver:'OWASP_CRS/3.2.0',\
        severity:'CRITICAL',\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
        setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XXE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"

PoC

$ git clone https://github.com/vulhub/vulhub.git
$ cd vulhub/php/php_xxe
$ docker-compose up -d

$ # exploit:
$ curl -s -H 'content-type: application/xml' \
   -d @./xxe.xml \
   'http://localhost:8080/simplexml_load_string.php'
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
...
* Connection #0 to host localhost left intact

thanks

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions