In this post we provide a comprehensive list of different DTD attacks.
The attacks are categorized as follows:
Your can also check out our large-scale parser evaluation against DTD attacks.
Last updated on 16. January 2019.
Please contact us if you have any missing vectors!
Last updated on 16. January 2019.
Please contact us if you have any missing vectors!
Denial-of-Service Attacks
Testing for Entity Support
If this test is successful and and parsing process is slowed down, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is a high probability that your parser is configured insecurely and is vulnerable to at least one kind of DoS.
Billion Laughs Attack (Klein, 2002)
This file expands to about 30 KByte but has a total of 11111 entity references and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365refore exceeds a reasonable threshold of entity references.
Source
Billion Laughs Attack - Parameter Entities (Späth, 2015)
File stored on http://publicServer.com/dos.dtd
Quadratic Blowup Attack
Source
Recursive General Entities
This vector is not well-formed by [WFC: No Recursion].External General Entities (Steuck, 2002)
The idea of this attack is to declare an external general entity and reference a large file on a network resource or locally (e.g. C:/pagefile.sys or /dev/random).However, conducting DoS attacks in such a manner is only applicable by making cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 parser process a large XML document.
Source
Classic XXE
Classic XXE Attack (Steuck, 2002)
We use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 file '/sys/power/image_size' as an example, because it is a very simple file (one line, no special characters).
This attack requires a direct feedback channel and reading out files is limited by "forbidden characters in XML" such as "<" and "&".
If such characters occur in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 accessed file (e.g. /etc/fstab) cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 XML parser raises an exception and stops cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 parsing of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 message.
Source
XXE Attack using netdoc
Source: @Nirgoldshlager
XXE Attack using UTF-16 (Dawid Golunski)
Some simple blacklisting countermeasures can probably bypassed by changing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 default XML charset (which is UTF-8), to a different one, for example, UTF-16The above file can be simply created with a texteditor.
To convert it to UTF-16, you can use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 linux tool iconv
# cat file.xml | iconv -f UTF-8 -t UTF-16 > file_utf16.xml
Source, Thanks to @ilmila
XXE Attack using UTF-7
The same trick can be applied to UTF-7 as-well.# cat file.xml | iconv -f UTF-8 -t UTF-7 > file_utf7.xml
Source, Thanks to @ilmila
Evolved XXE Attacks - Direct Feedback Channel
This class of attacks vectors is called evolved XXE attacks and is used to (i) bypass restrictions of classic XXE attacks and (ii) for Out-of-Band attacks.Bypassing Restrictions of XXE (Morgan, 2014)
File stored on http://publicServer.com/parameterEntity_core.dtd
Source
Bypassing Restrictions of XXE (Späth, 2015)
File stored on http://publicServer.com/parameterEntity_doctype.dtd
XXE by abusing Attribute Values (Yunusov, 2013)
This vector bypasses [WFC: No External Entity References].File stored on http://publicServer.com/external_entity_attribute.dtd
Source
Error-based XXE using Parameter Entitites (Arseniy Sharoglazov, 2018)
File stored on http://attacker.com/ext.dtd
Abusing local-DTD Files XXE (Arseniy Sharoglazov, 2018)
Because external DTD subsets are prohibited within an internal subset, one can use a a locally existing DTD file as follows:
Contents of sig-app_1_0.dtd
Source (also providing a list of local DTD files)
Evolved XXE Attacks - Out-of-Band channels
Just because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no direct feedback channel available does not imply that an XXE attack is not possible.XXE OOB Attack (Yunusov, 2013)
File stored on http://publicServer.com/parameterEntity_oob.dtd
Source
XXE OOB Attack - Parameter Entities (Yunusov, 2013)
Here is a variation of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previous attack using only parameter entities.File stored on http://publicServer.com/parameterEntity_sendhttp.dtd
Source
XXE OOB Attack - Parameter Entities FTP (Novikov, 2014)
Using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FTP protocol, an attacker can read out files of arbitrary length.File stored on http://publicServer.com/parameterEntity_sendftp.dtd
This attack requires to setup a modified FTP server. However, adjustments to this PoC code are probably necessary to apply it to an arbitrary parser.
Source
SchemaEntity Attack (Späth, 2015)
We identified three variations of this attack using (i) schemaLocation, (ii) noNamespaceSchemaLocation and (iii) XInclude.schemaLocation
noNamespaceSchemaLocation
XInclude
File stored on http://publicServer.com/external_entity_attribute.dtd
SSRF Attacks
DOCTYPE
External General Entity (Steuck, 2002)
Although it is best to reference a well-formed XML file (or any text file for that matter), in order not to cause an error, it is possible with some parsers to invoke an URL without referencing a not well-formed file.
Source
External Parameter Entity (Yunusov, 2013)
File stored on http://publicServer.com/url_invocation_parameterEntity.dtd
Source
XInclude
File stored on http://publicServer.com/file.xml
schemaLocation
File stored on http://publicServer.com/url_invocation_schemaLocation.xsd
or use this file
noNamespaceSchemaLocation
File stored on http://publicServer.com/url_invocation_noNamespaceSchemaLocation.xsd
XXE on JSON Webservices Trick (Antti Rantasaari)
If you pentest a web service that supports JSON, you can try to enforce it parsing XML as well.
The example is copied from this Blogpost by Antti Rantasaari.
Given HTTP example request:
It can be converted to enforce using XML by setting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 HTTP Content-Type to application/xml:
In this case, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 JSON parameters "name" and "value" are converted to XML elements "" and "" to be Schema conform to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 JSON format.
A root element "" was added around and to get a valid XML document (since an XML document must have exactly one root element).
The XXE attack might also work by simply adding one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r attack vectors of this blog.
XInclude Attacks (Morgan, 2014)
Source
XSLT Attacks
Authors of this Post
Christopher SpäthChristian Mainka (@CheariX)
Vladislav Mladenov