Skip to content
This repository has been archived by the owner on May 14, 2020. It is now read-only.

XML eXternal Entity #1319

Closed
theMiddleBlue opened this issue Mar 5, 2019 · 1 comment
Closed

XML eXternal Entity #1319

theMiddleBlue opened this issue Mar 5, 2019 · 1 comment

Comments

@theMiddleBlue
Copy link
Contributor

theMiddleBlue commented Mar 5, 2019
edited
Loading

during the last chat meeting, we talked about creating one or more rules to handle XXE attacks. I'm quite near to a PR, I just want to share with you some topics. I'm trying to cover:

Questions

before opening a new PR:

  • Should this be included in a new rule file? something like REQUEST-...-APPLICATION-ATTACK-XXE.conf?
  • if yes, 495000 can be a good numbering?
  • if not, any suggestion about where to add them?
  • I'm planning to block specific usage of SYSTEM "<wrapper-list>://..." in PL1, what do you think about completely deny !ENTITY tag in PL3 for example?

Example rule

SecRule REQUEST_BODY "@rx <!ENTITY\s+[^\s]+\s+SYSTEM\s+['\"](?i:file|http|https|ftp|php|zlib|data|glob|phar|ssh2|rar|ogg|expect|zip)://" \
        "id:945020,\
        phase:2,\
        t:none,t:compressWhitespace,\
        log,\
        msg:'XML eXternal Entity: Local or Remote file inclusion',\
        logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
        tag:'application-multi',\
        tag:'platform-multi',\
        tag:'attack-xxe',\
        tag:'OWASP_CRS/WEB_ATTACK/XXE',\
        tag:'WASCTC/WASC-43',\
        tag:'OWASP_TOP_10/A4',\
        tag:'paranoia-level/1',\
        ver:'OWASP_CRS/3.2.0',\
        severity:'CRITICAL',\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
        setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XXE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"

PoC

$ git clone https://github.com/vulhub/vulhub.git
$ cd vulhub/php/php_xxe
$ docker-compose up -d

$ # exploit:
$ curl -s -H 'content-type: application/xml' \
   -d @./xxe.xml \
   'http://localhost:8080/simplexml_load_string.php'
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
...
* Connection #0 to host localhost left intact

thanks
@theMiddleBlue theMiddleBlue mentioned this issue Mar 6, 2019
Closed
@theMiddleBlue
Copy link
Contributor Author

closing this. Please, refer to #1320 (XML attack).

@airween airween mentioned this issue Aug 14, 2019
Open
@CRS-migration-bot CRS-migration-bot mentioned this issue May 13, 2020
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@theMiddleBlue