file:///proc/self/cmdline : This virtual file is returning the command and the arguments used to start the process.file:///proc/self/cwd/ is an alternative to. file:///proc/self/cwd/FILE : Relative paths are likely to work.The /proc virtual filesystem include various files describing the current process. file:///proc/self/net/dev : Include public and internal IP.Hostnames, DNS resolvers and network devices information can give precious information to discover additional assets. Passwd is a file that is universally present on Linux operating system. If the application return the value inside the data node, the content of the file /etc/passwd will be reveal. If the server return the parsing result, it will suddenly reveal the content of this file. A malicious user could point to a file hosted on the remote server. However, when the parsing is done server side, the URLs from SYSTEM entities are also resolved on the server. For XML parsing done in a small script execute locally, this seems like a nice feature. When the keyword SYSTEM is added to an entity, it will attempt to load content from the specified URL. We are mentioning XML data because it can be a literal string, XML tags or any legal XML syntax where it is inserted.Įntity in HTML are used for special charactersĮntity is being used for a repeated pattern XML entities are reference to XML data inside of XML documents. The XML standard describes many useful formatting features but we are going to focus on " entities" because of the potential vulnerability it introduces. Being widely implemented in most programming language, it is an excellent choice for interoperability. You can also think about MS Office documents (. If you have built a website, you will edit or see inevitably HTML. You have probably already edited a configuration file written in XML. XML documents are used in plenty of file formats. Use docker-compose to start the application.Read build instructions ( %application_dir%/README.md) This step will differ for each application.All applications were built with a docker container recipe. In order to do the exercise, you will need to run the lab applications by yourself.
You can still follow the workshop by reading the content and watching the demonstrations. If you only have a web browser, you won't be able to reproduce the steps provided. The first requirement is to have a to have an HTTP interception proxy installed.
Feel free to do them in the order that you prefer. In many exercises, a bonus challenge is given.Įxercises are independent.
Skeleton payloads are also provided on the code repository. For every exercise, sample payloads will be given so that the attendees save some time.įor each exercise, detail steps will be given to reproduce the successful attack. Four applications will be at your disposition to test your skills. The focus of this workshop will be presenting various techniques and exploitation tricks for both PHP and Java applications. You might be able to detect the classic patterns, but can you convert the vulnerability into directory file listing, binary file exfiltration, file write or remote code execution? It is gaining more visibility with its introduction to the OWASP Top10 2017 (A4). XXE is a vulnerability that affects any XML parser that evaluates external entities. In this workshop, the latest XML eXternal Entities (XXE) and XML related attack vectors will be presented. Welcome to this 3-hour workshop on XML External Entities (XXE) exploitation!