1
00:00:00,420 --> 00:00:04,490
So as I said before, XML is a very popular data format.

2
00:00:05,440 --> 00:00:10,480
It's used in just about everything from Web services to documents and more.

3
00:00:11,410 --> 00:00:16,450
And an XML document does not only consist of elements and attributes and data.

4
00:00:18,150 --> 00:00:23,920
You can also define a type definition for a document itself.

5
00:00:25,080 --> 00:00:29,340
So at this point, you can request or include some resources from the system.

6
00:00:29,940 --> 00:00:35,970
Then to interpret this XML data, an application needs an XML parser.

7
00:00:37,670 --> 00:00:42,530
An XML external entity attack or excess E injections.

8
00:00:43,770 --> 00:00:45,320
That's where you're going to find him.

9
00:00:47,100 --> 00:00:55,050
So this attack occurs when XML input containing a reference to an external entity is processed by a

10
00:00:55,350 --> 00:00:57,660
weekly configured XML parser.

11
00:00:59,000 --> 00:01:06,050
So it may just lead to the disclosure of confidential data, denial of service, server side request

12
00:01:06,050 --> 00:01:12,380
forgery, port scanning from the perspective of the machine where the person is located and many other

13
00:01:12,380 --> 00:01:13,340
system impacts.

14
00:01:13,520 --> 00:01:14,750
I mean, this is big, right?

15
00:01:16,100 --> 00:01:20,810
So in this lesson, we are going to cover X, X, E attacks.

16
00:01:22,260 --> 00:01:24,960
So let's open up Cali and log in to be Web.

17
00:01:26,010 --> 00:01:29,220
Then choose XML external entity attacks.

18
00:01:31,860 --> 00:01:35,040
Now, the page display looks like this.

19
00:01:36,350 --> 00:01:39,530
So now to see more, let's view the page source.

20
00:01:40,810 --> 00:01:42,730
OK, so I see the JavaScript code here.

21
00:01:43,710 --> 00:01:52,500
And this code makes an Ajax request to execs to dump BHP and it sends the parameters in an XML file

22
00:01:52,500 --> 00:01:53,740
as the post data.

23
00:01:54,570 --> 00:01:57,810
So before doing anything on the page, go to terminal.

24
00:01:58,740 --> 00:02:08,610
Open xixi one P and scroll down a few lines, and here is the JavaScript file in the page source.

25
00:02:10,760 --> 00:02:14,300
So I think there is nothing problematic here for now.

26
00:02:15,380 --> 00:02:16,880
So let's view the other file.

27
00:02:18,410 --> 00:02:26,360
I guess this page will open doors for us, perhaps even many doors, so online 24, the data in the

28
00:02:26,360 --> 00:02:30,620
post request body is taken by the input rapper.

29
00:02:31,570 --> 00:02:34,300
Then this data is assigned to the body variable.

30
00:02:35,340 --> 00:02:42,170
And there is no check for low level and then naturally the body variable is loaded as an example while.

31
00:02:44,170 --> 00:02:48,220
And yeah, it looks like the rest is update code.

32
00:02:50,010 --> 00:02:54,720
Oh, and by the way, displaying an error is opened up on line 30.

33
00:02:56,240 --> 00:03:03,140
OK, so now for the other levels, yeah, it's a little bit different, so 978, the XML external entities

34
00:03:03,140 --> 00:03:04,040
are disabled.

35
00:03:06,390 --> 00:03:07,650
The line is commented.

36
00:03:08,790 --> 00:03:15,530
But for medium and high level, you can uncommented and the rest is the update code as well.

37
00:03:16,510 --> 00:03:17,590
And we can exit.

38
00:03:18,370 --> 00:03:20,110
OK, so now go to Firefox's.

39
00:03:21,450 --> 00:03:22,920
Enable Foxe proxy.

40
00:03:24,190 --> 00:03:28,480
And now I'm going to arrange the screen for you because I like this view.

41
00:03:29,960 --> 00:03:34,370
OK, so when you click this button, the request on the right is sent.

42
00:03:35,310 --> 00:03:40,500
Now, it's a post request and you can see the XML file below as the post data.

43
00:03:42,210 --> 00:03:45,570
And for this request, the detects Zimmel content.

44
00:03:47,190 --> 00:03:50,820
So you can view the XML tab or is it pretty?

45
00:03:52,440 --> 00:03:57,810
OK, so forward this request and the response contains just a message.

46
00:03:58,740 --> 00:03:59,700
OK, forward.

47
00:04:00,970 --> 00:04:05,970
Send the request to berp again and send it to the repeater tool as well.

48
00:04:07,330 --> 00:04:08,560
Then let it go.

49
00:04:10,150 --> 00:04:14,530
OK, so go to the repeater tab, let me maximize burb here.

50
00:04:15,890 --> 00:04:19,490
And now send this first request to check the connection.

51
00:04:21,120 --> 00:04:23,060
Perfect, so it updates be secret.

52
00:04:24,700 --> 00:04:27,580
And I'm going to change here to be one and send.

53
00:04:28,810 --> 00:04:30,460
And it's reflected the response.

54
00:04:31,710 --> 00:04:33,030
OK, so just write something.

55
00:04:34,360 --> 00:04:36,100
And it reflects that also.

56
00:04:37,380 --> 00:04:40,710
So instead of this extra Malfi are just based in this one.

57
00:04:42,720 --> 00:04:50,580
Now, my payload will define an external entity named XXXI and then it prints its value.

58
00:04:52,230 --> 00:04:52,980
And then Sam.

59
00:04:53,980 --> 00:04:54,760
Perfect.

60
00:04:54,820 --> 00:05:01,260
So this means that we can include external resources to that Zemel OK.

61
00:05:02,270 --> 00:05:04,670
Now I'm going to use this pelote.

62
00:05:05,830 --> 00:05:09,340
And it will bring us the content of the password file.

63
00:05:10,630 --> 00:05:13,190
And let's have a look at that payload carefully.

64
00:05:13,210 --> 00:05:18,970
It uses a file wrapper to point to the password file and it works well.

65
00:05:20,170 --> 00:05:25,480
OK, so now let's use one without this file rapper.

66
00:05:27,120 --> 00:05:28,290
And it works also.

67
00:05:29,840 --> 00:05:31,850
OK, so I'm going to pace this one.

68
00:05:33,430 --> 00:05:36,160
And it uses public instead of system.

69
00:05:39,370 --> 00:05:41,530
And we see the hostname.

70
00:05:43,370 --> 00:05:46,730
So now we can use another rapper to pull resources.

71
00:05:48,960 --> 00:05:51,810
But you can encode the file with his wrapper as well.

72
00:05:53,620 --> 00:05:54,640
So send the request.

73
00:05:55,980 --> 00:06:00,000
And the file is encoded, so copy the encoded part.

74
00:06:01,560 --> 00:06:02,700
Based on the decoder.

75
00:06:03,790 --> 00:06:05,920
Then decode is base64.

76
00:06:07,960 --> 00:06:10,750
And here is the content of the file.

77
00:06:12,250 --> 00:06:13,450
So go to the repeater.

78
00:06:15,560 --> 00:06:17,780
We can also view the code files.

79
00:06:19,810 --> 00:06:25,240
And I will advise you to use this wrapper with encoding when you want to pull code files, because in

80
00:06:25,240 --> 00:06:30,040
a normal pull request, that code can cause an XML execution error.

81
00:06:30,430 --> 00:06:30,970
Don't want that.

82
00:06:32,260 --> 00:06:33,520
OK, so send the request.

83
00:06:34,560 --> 00:06:37,110
And encoded result comes to copy it.

84
00:06:39,660 --> 00:06:41,310
And paste it to the decoder.

85
00:06:44,120 --> 00:06:45,140
Not as hex.

86
00:06:46,870 --> 00:06:50,650
And this is the code file of Portale that BHP.

87
00:06:52,400 --> 00:06:54,110
And we can change the file.

88
00:06:55,170 --> 00:06:55,920
And send.

89
00:06:57,160 --> 00:06:58,540
Copy the encode data.

90
00:06:59,580 --> 00:07:01,080
Pasted to the decoder.

91
00:07:02,550 --> 00:07:06,420
And you can have a look at the content of the first tab file.

92
00:07:08,020 --> 00:07:09,550
So paste this payload.

93
00:07:11,310 --> 00:07:14,130
This payload will cause it denial of service.

94
00:07:15,750 --> 00:07:21,780
So in the SML engine tries to load this file, the payload will be expanded into the memory and it will

95
00:07:21,960 --> 00:07:25,240
fill up the entire memory of the server.

96
00:07:25,980 --> 00:07:29,190
So that's how the denial of service will happen.

97
00:07:30,760 --> 00:07:32,050
OK, so then send.

98
00:07:33,830 --> 00:07:36,710
And you see that nothing appears on the response being.

99
00:07:37,650 --> 00:07:40,740
So now try to go to be rap or refresh the page.

100
00:07:41,770 --> 00:07:48,580
And you cannot accomplish to view the page so the server is not configured to prevent such an attack,

101
00:07:48,580 --> 00:07:51,370
it can cause some pretty serious problems.

102
00:07:53,310 --> 00:07:56,100
Thankfully, the Web server and beatboxes configured properly.

103
00:07:57,740 --> 00:08:00,440
And we will get an hour after 30 seconds.

104
00:08:00,860 --> 00:08:01,760
Far out.