In this post we provide a comprehensive list of different DTD attacks.
Bugbounty-cheatsheet / cheatsheets / xslt.md Go to file Go to file T; Go to line L; Copy path Cannot retrieve contributors at this time. 25 lines (20 sloc) 684 Bytes Raw Blame. Jun 18, 2020 - Explore First Place Positioning's board 'Cheatsheets', followed by 22646 people on Pinterest. See more ideas about cheat sheets, cheating, web development design.
XML input = XSLT = XML output. XSL:FO is XML output nothing more nothing less. The flow is not. XML input = XSLT = XML output & XSL:FO. I think the root of the confusion stems from the fact that the term XSL encompasses XSLT/XSLFO & XPATH yet often XSL is used as a synonym for XSLT. A list of interesting payloads, tips and tricks for bug bounty hunters. EdOverflow/bugbounty-cheatsheet.
The attacks are categorized as follows:
Your can also check out our large-scale parser evaluation against DTD attacks.
Last updated on 16. January 2019.
Please contact us if you have any missing vectors!
Last updated on 16. January 2019.
Please contact us if you have any missing vectors!
Testing for Entity Support
If this test is successful and and parsing process is slowed down, there is a high probability that your parser is configured insecurely and is vulnerable to at least one kind of DoS.
Billion Laughs Attack (Klein, 2002)
This file expands to about 30 KByte but has a total of 11111 entity references and therefore exceeds a reasonable threshold of entity references.
Source
Billion Laughs Attack - Parameter Entities (Späth, 2015)
File stored on http://publicServer.com/dos.dtd
Quadratic Blowup Attack
Source
Recursive General Entities
This vector is not well-formed by [WFC: No Recursion].External General Entities (Steuck, 2002)
The idea of this attack is to declare an external general entity and reference a large file on a network resource or locally (e.g. C:/pagefile.sys or /dev/random).However, conducting DoS attacks in such a manner is only applicable by making the parser process a large XML document.
Source
Classic XXE Attack (Steuck, 2002)
We use the file '/sys/power/image_size' as an example, because it is a very simple file (one line, no special characters).
This attack requires a direct feedback channel and reading out files is limited by 'forbidden characters in XML' such as '<' and '&'.
If such characters occur in the accessed file (e.g. /etc/fstab) the XML parser raises an exception and stops the parsing of the message.
Source
XXE Attack using netdoc
Source: @Nirgoldshlager
XXE Attack using UTF-16 (Dawid Golunski)
Some simple blacklisting countermeasures can probably bypassed by changing the default XML charset (which is UTF-8), to a different one, for example, UTF-16The above file can be simply created with a texteditor.
To convert it to UTF-16, you can use the linux tool iconv
# cat file.xml | iconv -f UTF-8 -t UTF-16 > file_utf16.xml
Source, Thanks to @ilmila
XXE Attack using UTF-7
The same trick can be applied to UTF-7 as-well.# cat file.xml | iconv -f UTF-8 -t UTF-7 > file_utf7.xml
Source, Thanks to @ilmila
This class of attacks vectors is called evolved XXE attacks and is used to (i) bypass restrictions of classic XXE attacks and (ii) for Out-of-Band attacks.
Bypassing Restrictions of XXE (Morgan, 2014)
File stored on http://publicServer.com/parameterEntity_core.dtd
Source
Bypassing Restrictions of XXE (Späth, 2015)
File stored on http://publicServer.com/parameterEntity_doctype.dtd
XXE by abusing Attribute Values (Yunusov, 2013)
This vector bypasses [WFC: No External Entity References].File stored on http://publicServer.com/external_entity_attribute.dtd
Source
Error-based XXE using Parameter Entitites (Arseniy Sharoglazov, 2018)
Xslt 3.0 Cheat Sheet
Abusing local-DTD Files XXE (Arseniy Sharoglazov, 2018)
Because external DTD subsets are prohibited within an internal subset, one can use a a locally existing DTD file as follows:
Contents of sig-app_1_0.dtd
Source (also providing a list of local DTD files)
Just because there is no direct feedback channel available does not imply that an XXE attack is not possible.XXE OOB Attack (Yunusov, 2013)
File stored on http://publicServer.com/parameterEntity_oob.dtd
Source
XXE OOB Attack - Parameter Entities (Yunusov, 2013)
Here is a variation of the previous attack using only parameter entities.File stored on http://publicServer.com/parameterEntity_sendhttp.dtd
Source
XXE OOB Attack - Parameter Entities FTP (Novikov, 2014)
Using the FTP protocol, an attacker can read out files of arbitrary length.File stored on http://publicServer.com/parameterEntity_sendftp.dtd
This attack requires to setup a modified FTP server. However, adjustments to this PoC code are probably necessary to apply it to an arbitrary parser.
Source
SchemaEntity Attack (Späth, 2015)
We identified three variations of this attack using (i) schemaLocation, (ii) noNamespaceSchemaLocation and (iii) XInclude.schemaLocation
noNamespaceSchemaLocation
XInclude
File stored onhttp://publicServer.com/external_entity_attribute.dtd
DOCTYPE
External General Entity (Steuck, 2002)
Although it is best to reference a well-formed XML file (or any text file for that matter), in order not to cause an error, it is possible with some parsers to invoke an URL without referencing a not well-formed file.
Source
External Parameter Entity (Yunusov, 2013)
File stored onhttp://publicServer.com/url_invocation_parameterEntity.dtd
Source
XInclude
File stored on http://publicServer.com/file.xml
schemaLocation
File stored on http://publicServer.com/url_invocation_schemaLocation.xsd
or use this file
noNamespaceSchemaLocation
Xslt Cheat Sheets
File stored on http://publicServer.com/url_invocation_noNamespaceSchemaLocation.xsd
If you pentest a web service that supports JSON, you can try to enforce it parsing XML as well.
The example is copied from this Blogpost by Antti Rantasaari.
Given HTTP example request:
It can be converted to enforce using XML by setting the HTTP Content-Type to application/xml:
In this case, the JSON parameters 'name' and 'value' are converted to XML elements '<search>' and '<value>' to be Schema conform to the JSON format.
A root element '<root>' was added around <search> and <value> to get a valid XML document (since an XML document must have exactly one root element).
The XXE attack might also work by simply adding one of the other attack vectors of this blog.
Source
Authors of this Post
Christopher SpäthChristianMainka (@CheariX)
Vladislav Mladenov
XML Tutorial
XML HOMEXML IntroductionXML How to useXML TreeXML SyntaxXML ElementsXML AttributesXML NamespacesXML DisplayXML HttpRequestXML ParserXML DOMXML XPathXML XSLTXML XQueryXML XLinkXML ValidatorXML DTDXML SchemaXML ServerXML ExamplesXML QuizXML CertificateXML AJAX
AJAX IntroductionAJAX XMLHttpAJAX RequestAJAX ResponseAJAX XML FileAJAX PHPAJAX ASPAJAX DatabaseAJAX ApplicationsAJAX ExamplesXML DOM
DOM IntroductionDOM NodesDOM AccessingDOM Node InfoDOM Node ListDOM TraversingDOM NavigatingDOM Get ValuesDOM Change NodesDOM Remove NodesDOM Replace NodesDOM Create NodesDOM Add NodesDOM Clone NodesDOM ExamplesXPath Tutorial
XPath IntroductionXPath NodesXPath SyntaxXPath AxesXPath OperatorsXPath ExamplesXSLT Tutorial
XSLT IntroductionXSL LanguagesXSLT TransformXSLT <template>XSLT <value-of>XSLT <for-each>XSLT <sort>XSLT <if>XSLT <choose>XSLT ApplyXSLT on the ClientXSLT on the ServerXSLT Edit XMLXSLT ExamplesXQuery Tutorial
XQuery IntroductionXQuery ExampleXQuery FLWORXQuery HTMLXQuery TermsXQuery SyntaxXQuery AddXQuery SelectXQuery FunctionsXML DTD
DTD IntroductionDTD Building BlocksDTD ElementsDTD AttributesDTD Elements vs AttrDTD EntitiesDTD ExamplesXSD Schema
XSD IntroductionXSD How ToXSD <schema>XSD ElementsXSD AttributesXSD RestrictionsXSD Complex
XSD ElementsXSD EmptyXSD Elements OnlyXSD Text OnlyXSD MixedXSD IndicatorsXSD <any>XSD <anyAttribute>XSD SubstitutionXSD ExampleXSD Data
XSD StringXSD DateXSD NumericXSD MiscXSD ReferenceWeb Services
XML ServicesXML WSDLXML SOAPXML RDFXML RSS
Xslt Cheat Sheet
References
Xslt Cheat Sheet 2019
DOM Node TypesDOM NodeDOM NodeListDOM NamedNodeMapDOM DocumentDOM ElementDOM AttributeDOM TextDOM CDATADOM CommentDOM XMLHttpRequestDOM ParserXSLT ElementsXSLT/XPath Functions