Hey! Not your first time visiting our CTF Recaps? Go ahead and jump on down to the insights! If it is your first time, allow us to give a quick rundown of what these are. Wizer CTFs were launched to challenge developers to learn to think like a hacker in order to learn to code more securely. It's part of our new security awareness training we're designing focused on the dev team!
Once a challenge is retired the Wizer Wizard behind these creations - our very own CTO Itzik Spitzen - creates takeaways that provide clues into the challenge from the perspective of defending your script. Want to testdrive a CTF before reading the notes? Go ahead at wizer-ctf.com - it's free and there's something for all levels.
In this challenge, we identify an XXE (XML External Entity) vulnerability.
Description of code
Our code is a user card creator, which creates an XML card populated with a few field values received as user-inputs. The user is able to input their role, first name and last name into the template creator. Upon receiving the user-inputs and before incorporating them into the template, the inputs are sanitized, removing all the occurrences of `<!` from them to prevent undesired tags injection.
What’s wrong with that approach?
Since the sanitization isn't complete, it does not recursively sanitize the string. It removes every presence of <! in the code, but that is not enough. Because if an attacker inputs <<!!, then the code will remove every presence of <! which still results in <! being present in the input.
What would a successful XXE attack look like in this case?
An attacker who identifies the weakness, could easily bypass the sanitization by specifying `<<!!ENTITY` in order to get a single instance of `<!ENTITY`. By doing so, the attacker could use the SYSTEM attribute and include a system file's content as one of the valid arguments. In this case the entity should include the passwd file `SYSTEM \"file:///etc/passwd"`. The result should look like the image below:
XXE is considered an old vulnerability, and is often dismissed by many as irrelevant. However, we need to remember that while technologies’ lifecycle is short and rapid, many legacy software systems remain active and used for many years. XXE still exists in the wild and cannot be ignored. Furthermore, XXE is also listed as one of the OWASP top 10. As a server side vulnerability allowing an attacker to run commands on the server, it's a dangerous weakness which could be translated into a complete server takeover in certain cases.
- Choose a proven sanitization strategy:
After understanding the needs, Google it and use a proven sanitization strategy, in this case it would have been effective to sanitize the argument, which really shouldn't contain anything but letters and maybe numbers. Any regular expression which is validating the characters in the argument, would be much preferred compared to a word replacement. Do not edit XML, JSON, or any type of object representation as a string. Use libraries such as `fast-xml-parser` to parse and load XML into objects and vice-versa. This way, you don't have to be concerned with the specific security needs. (Because sure in this case, the sanitization was not great, but setting up a great sanitization would require developers look into the entire RFC for XML just to see what weird ways commands may be possible).
- While old, XXE is real and could be exploited:
Even assuming that your newer apps don't use XML anymore, your organization might still be using older homegrown apps which could have that vulnerability.
Wanna join us on our next challenge? Sign up for our mailing list at wizer-ctf.com.