Firewall Lab Setup : FortiGate

In the game of network security, you are either secure or you are not; there exists no middle ground.

If a computer is connected to the Internet connection, it is vulnerable to online attacks. The only difference is some computers could be more susceptible than others.

Table of Content

  • Prerequisites
  • What is Firewall
  • Download FortiGate Virtual Firewall
  • Configure Virtual network interfaces for FortiGate
  • Deployment of FortiGate VM image in VMWare
  • Configuring the Management Interface
  • Accessing FortiGate Firewall GUI
  • GUI Demonstration
  • Dashboard Demonstration

Prerequisites

To configure the virtual FortiGate Firewall on your system there are some prerequisites required for installation

  • VMWare Workstation
  • FortiGate Firewall VM Image
  • 3 or more NIC (Network interface cards) E1000 compatible network cards
  • Root privileges

What is Firewall

In the computing language, a firewall is a security software or hardware that can monitor and control network traffic, both incoming and outgoing. It establishes a kind of barrier between reliable internal and unknown external networks.

Therefore, a firewall, also known as a network firewall, is capable of preventing unauthorized access to/from private networks.

A network firewall is based on security rules to acceptreject, or drop specific traffic. The firewall aims to allow or deny the connection or request, depending on implemented rules.

Download FortiGate Virtual firewall

First, we need to download the virtual FortiGate Firewall from the official FortiGate portal. To do this, visit here, and then register or login into the account.

By creating an account or log in to the account go to Download > VM Images as shown in the image below.

Further then Select Product: FortiGate > Select Platform: VMWare ESXi as shown in the image below. By default, you don’t have any license associated with your virtual image so, you can go with the trial version or you can buy the license as per your requirement.

After downloading the compressed FortiGate VM file you need to extract the compressed Zip file by using your favourite extractor and the extracted Zip file similarly looks like the below image.

Configure Virtual network interfaces for FortiGate

Let’s configure Virtual Network Adaptors as per your requirements.

To do this open VMware then go to Edit > Virtual Network Editor as shown in the image below

Further, then it will open another prompt that allows you to modify the network configuration.

To make changes in network configuration it needs the Administrator privileges to provide Admin privileges click on change settings as shown below

Or also you can directly access the Virtual network editor app by click on Windows Start Button and search for Virtual Network Editor. If you are using Linux (i.e. Ubuntu) you can type the below command to open Virtual Network Editor.

By default, there are only two virtual network interfaces, i.e., VMNet1 and VMNet8. So, click on the Add Network and make your virtual interface host only. After that, you have to provide a unique IP address of network devices to each network interface.

For example, I am going to use 192.168.200.0/24 for the vmnet0 interface and so on…

Use Ip of your network devices or whatever as per your requirement. Similarly, you can add as much as network interfaces as you want but remember one thing all network configuration should be configured to Host-only and you can enable or disable DHCP service as per you system requirement

Deployment of FortiGate VM image in VMWare

Now it’s time to deploy the FortiGate virtual firewall in VMWare Workstation. Just open the VMWare Workstation and go to Files >> Open (Ctrl+O) or go to the Home tab and select open a virtual Machine. Select the FortiGate-VM64.ovf file that you have downloaded from the official Website of FortiGate as shown below

Then after it will open another prompt of End User License Agreement accept it and move to next

On the next prompt Assign a Name for the new Virtual machine and a Storage Path then after select import as shown below

This process going to take some time, so have patience. After the successful completion of this process,

Now it’s time to configure the Virtual Firewall resources by clicking on Edit virtual machine settings. just modify the assigned virtual network interfaces, memory, and processor by going to Edit virtual machine.

In my case, I’m giving 2GB RAM, 30 GB of Hard Disk, 1 Processor, and 6 different virtual network interfaces (VMNet2, VMNet3, VMNet4, VMNet11, VMnet11, VMnet12 to different network adaptors. Check the below image for reference.

Configuring the Management Interface

We’ve just finished the deployment process of the FortiGate Firewall in the VMWare workstation.

Let’s configure an IP Address to the management interface. In manner to assign an IP Address to management interface firstly, we need login to the system with default credentials

Login User: – Admin

Login Password: – In this circumstance, we don’t know the default password, Hit enter and change the password as shown below

Let’s check the system interfaces by running the following command

Port 1 will be for the management interface so, assign a unique IP address to the management port and set to mode static. In this example our IP Address will 192.168.200.128/24 so, the default gateway will be 192.168.200.1. To assign IP Address to management port run the following command as shown below

Also, we can verify the make changes of system interfaces by running the following command

Accessing FortiGate Firewall GUI

Let’s check our firewall configuration by accessing the FortiGate Firewall GUI. Before accessing the GUI first, we will check the connectivity to our Firewall using the ping utility by running the following command

As we can see the IP Address is reachable which means it is working properly now, we will access the FortiGate Firewall GUI using its management interface IP address.

https://192.168.200.128

use the same login credential that we have set up on CLI

Username: – admin

Password: – 123

By logging in to the firewall it will open a setup Prompt where we need to specify the Hostname, change password upgrade firmware, and Dashboard setup

By default, this FortiGate will use the serial number/model as its hostname. To make it more identifiable set a descriptive hostname as shown below

Already we have changed the password in Firewall CLI and also, we have already downloaded the latest version of the firewall, so it automatically skips you to the last step to Dashboard setup. Select it to Optimal or Comprehensive as per your requirements

After selecting the type of Dashboard hit ok and finish the setup.

GUI Demonstration

The GUI contains the following main menus, which provide access to configuration options for most FortiOS features:

Dashboard: – The dashboard displays various widgets that display important system information and allow you to configure some system options.

Security Fabric: – Access the physical topology, logical topology, audit, and settings of the Fortinet Security Fabric.

FortiView: – A collection of dashboards and logs that give insight into network traffic, showing which users are creating the most traffic, what sort of traffic it is, when the traffic occurs, and what kind of threat the traffic may pose to the network.

Network: – Options for networking, including configuring system interfaces and routing options.

System: – Configure system settings, such as administrators, FortiGuard, and certificates.

Policy & Objects: – Configure firewall policies, protocol options, and supporting content for policies, including schedules, firewall addresses, and traffic shapers.

Security Profiles: – Configure your FortiGate’s security features, including Antivirus, Web Filter, and Application Control.

VPN: – Configure options for IPsec and SSL virtual private networks (VPNs).

User & Device: – Configure user accounts, groups, and authentication methods, including external authentication and single sign-on (SSO).

WiFi & Switch Controller: – Configure the unit to act as a wireless network controller, managing the wireless Access Point (AP) functionality of FortiWiFi and FortiAP units. On certain FortiGate models, this menu has additional features allowing for FortiSwitch units to be managed by the FortiGate.

Log & Report: – Configure logging and alert email as well as reports.

Monitor: – View a variety of monitors, including the Routing Monitor, VPN monitors for both IPsec and SSL, monitors relating to wireless networking, and more.

Dashboard Demonstration

FortiGate dashboards can have a Network Operations Centre (NOC) or responsive layout.

  • On a responsive dashboard, the number of columns is determined by the size of the screen. Widgets can only be resized horizontally, but the dashboard will fit on all screen sizes.
  • On a NOC dashboard, the number of columns is explicitly set. Widgets can be resized both vertically and horizontally, but the dashboard will look best on the screen size that it is configured for.

Multiple dashboards of both types can be created, for both individual VDOMs and globally.

  • Widgets are interactive; clicking or hovering over most widgets shows additional information or links to relevant pages.
  • Widgets can be reorganized by clicking and dragging them around the screen.

Four dashboards are available by default: Status, Network, Security, and System Events

The Status dashboard includes the following widgets by default:

System Information: – The System Information widget lists information relevant to the FortiGate system, including hostname, serial number, and firmware. Clicking on the widget provides links to configure system settings and update the device firmware.

Licenses: – The License widget lists the status of various licenses, such as FortiCare Support and IPS. The number of used and available FortiTokens is also shown. Clicking on the widget provides a link to the FortiGuard settings page.

Virtual Machine: – The VM widget (shown by default in the dashboard of a FortiOS VM device) includes:

  • License status and type
  • vCPU allocation and usage
  • RAM allocation and usage
  • VMX license information (if the VM supports VMX)

Clicking on an item in the widget provides a link to the FortiGate VM License page, where license files can be uploaded.

FortiGate Cloud: – This widget displays the FortiGate Cloud and FortiSandbox Cloud status.

Security Fabric: – The Security Fabric widget displays a visual summary of the devices in the Fortinet Security Fabric.

Clicking on a product icon provides a link to a page relevancy to that product. For example, clicking the FortiAnalyzer shows a link to log settings.

Security Rating: – The Security Rating widget shows the security rating for your Security Fabric. It can show the current rating percentile, or historical security rating score or percentile charts.

Administrators: – This widget allows you to see logged-in administrators, connected administrators, and the protocols used by each Clicking in the widget provides links to view active administrator sessions, and to open the FortiExplorer page on the App Store.

CPU: – This widget shows real-time CPU usage over the selected time frame. Hovering over any point on the graph displays the percentage of CPU power used at that specific time. It can be expanded to occupy the entire dashboard.

Memory: – This widget shows real-time memory usage over the selected time frame. Hovering over any point on the graph displays the percentage of the memory used at that specific time. It can be expanded to occupy the entire dashboard.

Sessions: – This widget shows the current number of sessions over the selected time frame. Hovering over any point on the graph displays the number of sessions at that specific time. It can be expanded to occupy the entire dashboard.

The Security dashboard includes the following widgets by default:

  • Top Compromised Hosts by Verdict: – This widget lists the compromised hosts by verdict. A FortiAnalyzer is required. It can be expanded to occupy the entire dashboard.
  • Top Threats by Threat Level: – This widget lists the top threats by threat level,l from FortiView. It can be expanded to occupy the entire dashboard.
  • FortiClient Detected Vulnerabilities: – This widget shows the number of vulnerabilities detected by FortiClient. FortiClient must be enabled. Clicking on the widget provides a link to view the information in FortiView.
  • Host Scan Summary: – This widget lists the total number of hosts. Clicking on the widget provides links to view vulnerable devices in FortiView, FortiClient monitor, and the device inventory.
  • Top Vulnerable Endpoint Devices by Detected Vulnerabilities: – This widget lists the top vulnerable endpoints by the detected vulnerabilities, from FortiView. It can be expanded to occupy the entire dashboard.

The System Events dashboard includes the following widgets by default:

  • Top System Events by Events: – This widget lists the top system events, sorted by the number of events. It can be expanded to occupy the entire dashboard. Double click on an event to view the specific event log.
  • Top System Events by Level: – This widget lists the top system events, sorted by the events’ levels. It can be expanded to occupy the entire dashboard. Double click on an event to view the specific event log.

Source:http://docs.fortinet.com/document/fortigate/6.2.4/cookbook/856100/dashboard

Source: – geekflare.com/firewall-introduction/

Wait this is not the end ……

More will be discussed in the next part

Author – Vijay is a Certified Ethical Hacker, Technical writer and Penetration Tester at Hacking Articles. Technology and Gadget freak. Contact Here

Ghizer TryHackMe Walkthrough

Today we’re going to solve another boot2root challenge called “Ghizer“. It’s available at TryHackMe for penetration testing practice. This lab is not difficult if we have the right basic knowledge to break the labs and are attentive to all the details we find during the reconnaissance. The credit for making this lab goes to stuxnet. Let’s get started and learn how to break it down successfully.

Level: Easy

Since these labs are available on the TryHackMe website.

Penetration Testing Methodology

Reconnaissance

  • Nmap

Enumeration

  • Dirsearch
  • Searchsploit
  • Linpeas
  • Jdb
  • Chisel

Exploiting

  • Exploit LimeSurvey < 3.16 Remote Code Execution (RCE)

Privilege Escalation

  • Abuse of debug mode Ghidra
  • Abuse of permissions of python scripts with SUDO
  • Capture the flag

Walkthrough

Reconnaissance

We put the IP address in “etc/hosts” file and execute nmap.

Enumeration

We enumerate with nmap the access FTP services with an anonymous account, But we don’t have to write and read permissions

We access the website and look at the website, review code and sections, but find nothing that can be useful to us.

We found a working WordPress on port 443. We a hint for administration panel found, it is protected for WPS Hide Login plugin.

Is easy, we search link in the bottom of the page web and we will have the route panel administration.

We use Dirsearch tool and we enumerate files with version software, directories and other files.

Exploiting

We use searchsploit in searched of exploits for LimeSurvey, we found an exploit for Remote Code Execution (RCE).

This exploit required credentials for you use, we search in Google for “Credentials default LimeSurve” and we enumerated default credentials.

We use the exploit with the credentials found and we have a shell.

We have a shell very limited, I used the web shell of PentestMonkey’s, downloading it to the folder and executed with netcat in listening.

We have a new shell! We execute two favourites commands for an interactive shell.

We found config.php file, on the stand username and password of limeDB.

Privilege Escalation (user Veronica)

We use “linpeas.sh” script and we enumerated connections in use of ghidraDebug with Veronica user.

We enumerate GhidraDebug service internal on port 18001.

We need remote command to execute in GhidraDebug, I used this guide my friends “HackPlayers“.

We use “Chisel” for port forwarding on local port 18001.

We jdb tool for connecting with we localhost, we executed “classpath” command and we view the base directory of “Veronica” user.

We listed “WatchManager$WatchRunnable“, so we’re on the right track.

We stop the service and wait a few seconds until we get the second answer.

We set a netcat to listen and execute the following command, this will return a shell as the user “Veronica“.

And with the access to this user, we can read the flag of user.txt.

Privilege Escalation (root)

We execute the command “sudo -l“, we have permission to execute a script in Python called “base.py“.

We tried to insert a new line, but we do not have permission to edit the file. But we do to delete it!

We delete the file, create a new one inserting the execution of a bash as root, execute as sudo this file, scale privileges as root and read the flag.

Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks. Contacted on LinkedIn and Twitter.

Comprehensive Guide on XXE Injection

XML is a markup language that is commonly used in web development. It is used for storing and transporting data. So, today in this article, we will learn how an attacker can use this vulnerability to gain the information and try to defame web-application.

XXE Testing Methodology:

  • Introduction to XML
  • Introduction to XXE Injection
  • Impacts
  • XXE for SSRF
    • Local File
    • Remote File
  • XXE Billion Laugh Attack
  • XXE using file upload
  • Remote Code Execution
  • XSS via XXE
  • JSON and Content Manipulation
  • Blind XXE
  • Mitigation Steps

Introduction to XML

What are XML and Entity?

XML stands for “Extensible Markup Language”,It is the most common language for storing and transporting data. It is a self-descriptive language. It does not contain any predefined tags like <p>, <img>, etc. All the tags are user-defined depending upon the data it is representing for example. <email></email>, <message></message> etc.

  • Version: It is used to specify what version of XML standard is being used.
    • Values: 1.0
  • Encoding: It is declared to specify the encoding to be used. The default encoding that is used in XML is UTF-8.
    • Values: UTF-8, UTF-16, ISO-10646-UCS-2, ISO-10646-UCS-4, Shift_JIS, ISO-2022-JP, ISO-8859-1 to ISO-8859-9, EUC-JP
  • Standalone: It informs the parser if the document has any link to an external source or there is any reference to an external document. The default value is no.
    • Values: yes, no

What is an Entity?

Like there are variables in programming languages we have XML Entity. They are the way of representing data that are present inside an XML document. There are various built-in entities in XML language like &lt; and &gt; which are used for less than and greater than in XML language. All of these are metacharacters that are generally represented using entities that appear in data. XML external entities are the entities that are located outside DTD.

The declaration of an external entity uses the SYSTEM keyword and must specify a URL from which the value of the entity should be loaded. For example

In this syntax Ignite is the name of the entity,

SYSTEM is the keyword used,

URL is the URL that we want to get by performing an XXE attack.

What is the Document Type Definition (DTD)?

It is used for declaration of the structure of XML document, types of data value that it can contain, etc. DTD can be present inside the XML file or can be defined separately. It is declared at the beginning of XML using <!DOCTYPE>.

There are several types of DTDs and the one we are interested in is external DTDs. 

SYSTEM: The system identifier enables us to specify the external file location that contains the DTD declaration.

PUBLIC: Public identifiers provide a mechanism to locate DTD resources and are written as below −

As you can see, it begins with the keyword PUBLIC, followed by a specialized identifier. Public identifiers are used to identify an entry in a catalog.

Introduction to XXE

An XXE is a type of attack that is performed against an application in order to parse its XML input. In this attack XML input containing a reference to an external entity is processed by a weakly configured XML parser.  Like in Cross-Site Scripting (XSS) we try to inject scripts similarly in this we try to insert XML entities to gain crucial information.

It is used for declaration of the structure of XML document, types of data value that it can contain, etc. DTD can be present inside the XML file or can be defined separately. It is declared at the beginning of XML using <!DOCTYPE>.

There are several types of DTDs and the one we are interested in is external DTDs. There are two types of external DTDs:

  1. SYSTEM: System identifier enables us to specify the external file location that contains the DTD declaration

In this XML external entity payload is sent to the server and the server sends that data to an XML parser that parses the XML request and provides the desired output to the server. Then server returns that output to the attacker.

Impacts

XML External Entity (XXE) can possess a severe threat to a company or a web developer. XXE has always been in Top 10 list of OWASP. It is common as lots of website uses XML in the string and transportation of data and if the countermeasures are not taken then this information will be compromised. Various attacks that are possible are:

  • Server-Side Request Forgery
  • DoS Attack
  • Remote Code Execution
  • Cross-Site Scripting

The CVSS score of XXE is 7.5 and its severity is Medium with –

  • CWE-611: Improper Restriction of XML External Entity.
  • CVE-2019-12153: Local File SSRF
  • CVE-2019-12154: Remote File SSRF
  • CVE-2018-1000838: Billion Laugh Attack
  • CVE-2019-0340: XXE via File Upload

Performing XXE Attack to perform SSRF:

Server-Side Request Forgery (SSRF) is a web vulnerability where the hacker injects server-side HTML codes to get control over the site or to redirect the output to the attacker’s server. File types for SSRF attacks are –

Local File:

These are the files that are present on the website domain like robots.txt, server-info, etc. So, let’s use “bWAPP” to perform an XXE attack at a level set to low.

Now we will fire up our BurpSuite and intercept after pressing Any Bugs? button and we will get the following output on burp:

We can see that there is no filter applied so XXE is possible so we will send it to the repeater and there we will perform our attack.  We will try to know which field is vulnerable or injectable because we can see there are two 0 fields i.e., login and secret.

So, we will test it as follows:

In the repeater tab, we will send the default request and observe the output in the response tab.

It says “bee’s secret has been reset” so it seems that login is injectable but let’s verify this by changing it from bee and then sending the request.

Now again we will be observing its output in response tab:

We got the output “ignite’s secret has been reset”  so it makes it clear that login is injectable. Now we will perform our attack.

Now as we know which field is injectable, let’s try to get the robots.txt file. And for this, we’ll be using the following payload –

Understanding the payload

We have declared a doctype with the name “reset” and then inside that declared an entity named “ignite”. We are using SYSTEM identifier and then entering the URL to robots.txt. Then in login, we are entering “&ignite;” to get the desired information.

After inserting the above code, we will click on send and will get output like below in the response tab:

We can see in the above output that we got all the details that are present in the robots.txt. This tells us that SSRF of the local file is possible using XXE.

So now, let’s try to understand how it all worked. Firstly, we will inject the payload and it will be passed on to the server and as there are no filters present to avoid XXE the server sends the request to an XML parser and then sends the output of the parsed XML file. In this case, robots.txt was disclosed to the attacker using XML query.

Remote File:

These are the files that attacker injects a remotely hosted malicious scripts in order to gain admin access or crucial information. We will try to get /etc/passwd for that we will enter the following command.

After entering the above command as soon as we hit the send button we’ll be reflected with the passwd file !!

XXE Billion Laugh Attack-DOS

These are aimed at XML parsers in which both, well-formed and valid, XML data crashes the system resources when being parsed. This attack is also known as XML bomb or XML DoS or exponential entity expansion attack.

Before performing the attack, lets know why it is known as Billion Laugh Attack?

“For the first time when this attack was done, the attacker used lol as the entity data and the called it multiple times in several following entities. It took exponential amount of time to execute and its result was a successful DoS attack bringing the website down. Due to usage of lol and calling it multiple times that resulted in billions of requests we got the name Billion Laugh Attack”

Before using the payload lets understand it:

In this, we see that at 1 we have declared the entity named “ignite” and then calling ignite in several other entities thus forming a chain of callbacks which will overload the server.  At 2 we have called entity &ignite9; We have called ignite9 instead of ignite as ignite9 calls ignite8 several times and each time ignite8 is called ignite7 is initiated and so on. Thus, the request will take an exponential amount of time to execute and as a result, the website will be down.

Above command results in DoS attack and the output that we got is:

Now after entering the XML command we will not see any output in response field and also bee box is not accessible and it will be down.

XXE Using File Upload

XXE can be performed using the file upload method. We will be demonstrating this using Port Swigger lab “Exploiting XXE via Image Upload”. The payload that we will be using is:

Understanding the payload: We will be making an SVG file as only image files are accepted by the upload area. The basic syntax of the SVG file is given above and in that, we have added a text field that will

We will be saving the above code as “payload.svg”. Now on portswigger, we will go on a post and comment and then we will add the made payload in the avatar field.

Now we will be posting the comment by pressing Post Comment button. After this, we will visit the post on which we posted our comment, and we will see our comment in the comments section.

Let’s check its page source in order to find the comment that we posted. You will find somewhat similar to what I got below

We will be clicking on the above link and we will get the flag in a new window as follows:

This can be verified by submitting the flag and we will get the success message.

Understanding the whole concept: So, when we uploaded the payload in the avatar field and filled all other fields too our comment was shown in the post. Upon examining the source file, we got the path where our file was uploaded. We are interested in that field as our XXE payload was inside that SVG file and it will be containing the information that we wanted, in this case, we wanted”/etc/domain”. After clicking on that link, we were able to see the information.

XXE to Remote code Execution

Remote code execution is a very server web application vulnerability. In this an attacker is able to inject its malicious code on the server in order to gain crucial information. To demonstrate this attack I have used XXE LAB. We will follow below steps to download this lab and to run this on our Linux machine:

In our terminal we will get somewhat similar output as following:

Now once it’s ready to be use we will open the browser and type: http://192.168.33.10/ and we will see the site looks like this:

We will be entering our details and intercepting the request using Burp Suite. In Burp Suite we will see the request as below:

We will send this request to repeater and we will see which field is vulnerable. So, firstly we will send the request as it is and observe the  response tab:

We can notice that we see only email so we will further check with one more entry to verify that this field is the vulnerable one among all the fields.

From the above screenshot it’s clear that the email field is vulnerable. Now we will enter our payload:

Lets understand the payload before implementing it:

We have created a doctype with the name ”root” and under that, we created an entity named “ignite” which is asking for “expect://id”. If expect is being accepted in a php page then remote code execution is possible. We are fetching the id so we used “id” in this case.

And we can see that we got the uid,gid and group number successfully. This proves that our remote code execution was successful in this case.

 

XSS via XXE

Nowadays we can see that scripts are blocked by web applications so there is a way of trespassing this. We can use the CDATA of XML to carry out this attack. We will also see CDATA in our mitigation step. We have used the above XXE LAB to perform XSS. So, we have the same intercepted request as in the previous attack and we know that the email field is vulnerable so we will be injecting our payload in that field only. Payload that we gonna use is as below:

Understanding the payload: As we know that in most of the input fields < and > are blocked so we have included it inside the CDATA. CDATA is character data and the data inside CDATA is not parsed by XML parser and is as it is pasted in the output. 

Let’s see this attack:

We will enter the above command in between the email field and we will observe the output in the response tab.

We can see that we have got the image tag embedded in the field with our script. We will right-click on it and select the option “Show response in browser

We will copy the above link and paste it in the browser and we will be shown an alert box saying “1” as we can observe in the below screenshot.

So, the screenshot makes us clear that we were able to do Cross-Site Scripting using XML.

JSON and Content Manipulation

JSON is JavaScript Object Notation which is also used for storing and transporting data like XML. We can convert JSON to XML and still get the same output as well as get some juicy information using it. We can also do content manipulation so that XML can be made acceptable. We will be using WebGoat for this purpose. In WebGoat we will be performing an XXE attack.

We can see that the intercepted request looks like above. We will change its content-type and replace JSON with XML code. XML code that we will be using is:

We will be observing that our comment will be posted with the root file.

So in this, we learnt how we can perform XML injection on JSON fields and also how we can pass XML by manipulating its content-type.

Let us understand what happened above:

JSON is the same as XML language so we can get the same output using XML as we will expect from a JSON request. In the above, we saw that JSON has text value so we replaced the JSON request with the above payload and got the root information. If we would have not changed its content type to application/XML then our XML request would not have been passed.

Blind XXE

As we have seen in the above attacks we were seeing which field is vulnerable. But, when there is a different output on our provided input then we can use Blind XXE for this purpose. We will be using portswigger lab for demonstrating Blind XXE. For this, we will be using burp collaborator which is present in BurpSuite professional version only. We are using a lab named “Blind XXE with out-of-band interaction via XML parameter Entities”. When we visit the lab we will see a page like below:

We will click on View details and we will be redirected to the below page in which we will be intercepting the “check stock” request.

We will be getting intercepted request as below:

We can see that if we normally send the request we will get the number of stocks. Now we will fire up the burp collaborator from the burp menu and we will see the following window.

In this, we will press the “copy to clipboard” button to copy the burp subdomain that we will be using in our payload.

Payload that we will be using is as below:

Now we will see in Burp Collaborator, we will see that we capture some request which tells us that we have performed Blind XXE successfully.

We will also verify that our finding is correct and we will see in the lab that we have solved it successfully.

 

Mitigation Steps

  • The safest way to prevent XXE is always to disable DTDs (External Entities) completely. Depending on the parser, the method should be similar to the following:

  • Also, DoS attacks can be prevented by disabling DTD. If it is not possible to disable DTDs completely, then external entities and external document type declarations must be disabled in the way that’s specific to each parser.
  • Another method is using CDATA for ignoring the external entities. CDATA is character data which provides a block which is not parsed by the parser.

Author : Naman Kumar is a  cyber security enthusiast who is trying to gain some knowledge in the cybersecurity field. Contact Here