1
00:00:00,450 --> 00:00:04,470
‫So as I said before, XML is a very popular data format.

2
00:00:05,470 --> 00:00:10,450
‫It's used in just about everything, from Web services to documents and more.

3
00:00:11,410 --> 00:00:16,420
‫And an XML document does not only consist of elements and attributes and data.

4
00:00:18,150 --> 00:00:23,940
‫You can also define a type definition for a document itself.

5
00:00:25,110 --> 00:00:31,620
‫So at this point, you can request or include some resources from the system then to interpret this

6
00:00:31,830 --> 00:00:35,970
‫XML data and application needs and XML parser.

7
00:00:37,700 --> 00:00:42,500
‫An XML external entity attack or excess E injections.

8
00:00:43,800 --> 00:00:45,300
‫That's where you're going to find him.

9
00:00:47,100 --> 00:00:54,990
‫So this attack occurs when XML input containing a reference to an external entity is processed by a

10
00:00:55,320 --> 00:00:57,660
‫weekly configured XML parser.

11
00:00:59,030 --> 00:01:02,630
‫So it may just lead to the disclosure of confidential data.

12
00:01:02,960 --> 00:01:04,010
‫Denial of service.

13
00:01:04,550 --> 00:01:06,710
‫Server side request forgery.

14
00:01:07,010 --> 00:01:12,710
‫Port scanning from the perspective of the machine where the person is located and many other system

15
00:01:12,710 --> 00:01:13,340
‫impacts.

16
00:01:13,550 --> 00:01:14,720
‫I mean, this is big, right?

17
00:01:16,100 --> 00:01:20,780
‫So in this lesson, we are going to cover X X E attacks.

18
00:01:22,260 --> 00:01:24,930
‫So let's open up, Carly and log in to B Web.

19
00:01:26,010 --> 00:01:29,190
‫Then choose an XML external entity attacks.

20
00:01:31,890 --> 00:01:35,010
‫Now, the page display looks like this.

21
00:01:36,350 --> 00:01:39,500
‫So now to see more, let's view the page source.

22
00:01:40,840 --> 00:01:42,730
‫OK, so I see the JavaScript code here.

23
00:01:43,800 --> 00:01:53,010
‫This code makes an Ajax request to execs to the HP, and it sends the parameters in an XML file as the

24
00:01:53,010 --> 00:01:53,730
‫post data.

25
00:01:54,570 --> 00:01:57,810
‫So before doing anything on the page, go to terminal.

26
00:01:58,770 --> 00:02:01,360
‫Open exec C one P.

27
00:02:02,610 --> 00:02:04,470
‫And scroll down a few lines.

28
00:02:05,070 --> 00:02:08,580
‫And here is the JavaScript file and the page source.

29
00:02:10,790 --> 00:02:14,270
‫So I think there is nothing problematic here for now.

30
00:02:15,380 --> 00:02:16,850
‫So let's view the other file.

31
00:02:18,400 --> 00:02:22,820
‫I guess this page will open doors for us, perhaps even many doors.

32
00:02:23,420 --> 00:02:30,590
‫So online 24, the data in the post request body is taken by the AP input wrapper.

33
00:02:31,570 --> 00:02:34,300
‫Then this data is assigned to the body variable.

34
00:02:35,340 --> 00:02:41,790
‫And there is no check for a low level, and then naturally, the body variable is loaded as an example

35
00:02:41,790 --> 00:02:42,150
‫file.

36
00:02:44,230 --> 00:02:48,190
‫And yeah, it looks like the rest is update code.

37
00:02:50,250 --> 00:02:54,720
‫And by the way, displaying an error is opened up on line 30.

38
00:02:56,270 --> 00:03:00,020
‫OK, so now for the other levels, yeah, it's a little bit different.

39
00:03:00,320 --> 00:03:04,010
‫So a seventy eight a.m. external entities are disabled.

40
00:03:06,420 --> 00:03:07,620
‫The line is commented.

41
00:03:08,760 --> 00:03:15,510
‫But for medium and high level, you can uncomment it, and the rest is the update code as well.

42
00:03:16,540 --> 00:03:20,080
‫And we can exit, OK, so now go to Firefox.

43
00:03:21,480 --> 00:03:22,890
‫Enable foxy proxy.

44
00:03:24,220 --> 00:03:28,480
‫And now I'm going to arrange this screen for you because I like this for you.

45
00:03:29,930 --> 00:03:34,340
‫OK, so when you click this button, the request on the right is sent.

46
00:03:35,340 --> 00:03:40,470
‫Now, it's a post request, and you can see the XML file below as the post data.

47
00:03:42,210 --> 00:03:45,540
‫And for this request, the tax exempt content.

48
00:03:47,190 --> 00:03:48,840
‫So you can view the XML tab.

49
00:03:49,770 --> 00:03:50,820
‫Oh, is it pretty?

50
00:03:52,500 --> 00:03:57,780
‫OK, so forward, this request and the response contains just a message.

51
00:03:58,770 --> 00:03:59,670
‫OK, forward.

52
00:04:01,000 --> 00:04:05,950
‫Send the request to Burp again and send it to the repeater tool as well.

53
00:04:07,330 --> 00:04:08,560
‫Then let it go.

54
00:04:10,210 --> 00:04:12,070
‫OK, so go to the repeater tab.

55
00:04:12,730 --> 00:04:14,470
‫Let me maximize BRB here.

56
00:04:15,920 --> 00:04:19,490
‫And now send this first request to check the connection.

57
00:04:21,120 --> 00:04:23,040
‫Perfect two it updates be secret.

58
00:04:24,730 --> 00:04:27,550
‫And I'm going to change here to be one and send.

59
00:04:28,840 --> 00:04:30,400
‫And it's reflected the response.

60
00:04:31,740 --> 00:04:33,030
‫OK, so just write something.

61
00:04:34,390 --> 00:04:36,070
‫And it reflects that also.

62
00:04:37,380 --> 00:04:40,700
‫So instead of this simple fire, I'll just paste in this one.

63
00:04:42,750 --> 00:04:50,550
‫Now, my payload will define an external entity named X XY, and then it prints its value.

64
00:04:52,260 --> 00:04:52,980
‫And then send.

65
00:04:53,950 --> 00:05:00,100
‫Perfect, so this means that we can include external resources to that XML.

66
00:05:00,580 --> 00:05:01,240
‫OK.

67
00:05:02,270 --> 00:05:04,640
‫Now I'm going to use this payload.

68
00:05:05,830 --> 00:05:09,280
‫And it will bring us the content of the password file.

69
00:05:10,660 --> 00:05:13,160
‫Now, let's have a look at that payload carefully.

70
00:05:13,180 --> 00:05:18,940
‫It uses a file wrapper to point to the password file, and it works well.

71
00:05:20,230 --> 00:05:25,450
‫OK, so now let's use one without this file wrapper.

72
00:05:27,120 --> 00:05:28,260
‫And it works also.

73
00:05:29,870 --> 00:05:31,820
‫OK, so I'm going to paste this one.

74
00:05:33,460 --> 00:05:36,130
‫And it uses public instead of system.

75
00:05:39,400 --> 00:05:41,500
‫And we see the hostname.

76
00:05:43,370 --> 00:05:46,670
‫So now we can use another BHP wrapper to pull resources.

77
00:05:48,960 --> 00:05:51,810
‫But you can encode the file with his wrapper as well.

78
00:05:53,650 --> 00:05:54,640
‫So send the request.

79
00:05:56,010 --> 00:05:59,970
‫And the file is encoded, so copy the encoded part.

80
00:06:01,560 --> 00:06:02,700
‫Based to the decoder.

81
00:06:03,820 --> 00:06:05,920
‫Then Decode is based 64.

82
00:06:07,960 --> 00:06:10,720
‫And here is the content of the final.

83
00:06:12,250 --> 00:06:13,420
‫So go to the repeater.

84
00:06:15,560 --> 00:06:17,750
‫We can also view the code files.

85
00:06:19,810 --> 00:06:24,160
‫And I will advise you to use this wrapper with encoding when you want to pull the code files.

86
00:06:24,250 --> 00:06:30,010
‫Because in a normal pull request, the code can cause an XML execution error.

87
00:06:30,400 --> 00:06:30,940
‫Don't want that?

88
00:06:32,290 --> 00:06:33,520
‫OK, so send the request.

89
00:06:34,590 --> 00:06:37,080
‫And encoded result comes, so copy it.

90
00:06:39,690 --> 00:06:41,310
‫And paste it to the decoder.

91
00:06:44,150 --> 00:06:45,140
‫Not as hex.

92
00:06:46,900 --> 00:06:50,620
‫And this is the code file of Portal that BHP.

93
00:06:52,430 --> 00:06:54,080
‫And we can change the file.

94
00:06:55,170 --> 00:06:55,890
‫And send.

95
00:06:57,160 --> 00:06:58,480
‫Copy the ENCODE data.

96
00:06:59,580 --> 00:07:01,050
‫Pasted to the decoder.

97
00:07:02,580 --> 00:07:06,420
‫And you can have a look at the content of the fStab tab file.

98
00:07:08,020 --> 00:07:09,520
‫So piece this payload.

99
00:07:11,310 --> 00:07:14,100
‫This payload will cause a denial of service.

100
00:07:15,780 --> 00:07:21,510
‫So when the XML engine tries to load this file, the payload will be expanded into the memory and it

101
00:07:21,510 --> 00:07:25,230
‫will fill up entire memory of the server.

102
00:07:26,010 --> 00:07:29,180
‫So that's how the denial of service will happen.

103
00:07:30,730 --> 00:07:32,020
‫OK, so then send.

104
00:07:33,860 --> 00:07:36,680
‫And you see that nothing appears on the response been.

105
00:07:37,570 --> 00:07:40,710
‫So now try to go to be wrap or refresh the page.

106
00:07:41,770 --> 00:07:48,570
‫And you cannot accomplish is to view the page, so the server is not configured to prevent such an attack,

107
00:07:48,580 --> 00:07:51,340
‫it can cause some pretty serious problems.

108
00:07:53,100 --> 00:07:56,070
‫Well, thankfully, the webserver and B is configured properly.

109
00:07:57,770 --> 00:08:00,410
‫And we will get an error after 30 seconds.

110
00:08:00,890 --> 00:08:01,730
‫Far out.