This fun little challenge highlight two issue at once: XML External Entity (XXE) and Server-side request forgery (SSRF) and show how it’s possible to chain multiple vulnerabilities to have a bigger impact on a target.
Tl;Dr: You have to exploit an XML External Entity vulnerability through the upload of a SVG file in order achieve Server-side request forgery to activate a premium feature only available to privileged users.
Alright! Let’s get into the details now!
Opening the challenge displays the following application:
Once we upload an image we can activate few function, only “Blur” function is available.
By opening the browser developper tools we can see that two requests are being made once the “blur” function is being activated.
The first request activate the
$ curl http://blur.ctf:33433/features/0/toggle -i
0 is the ID of
Blur feature maybe we can activate the two other locked features by calling the /toogle endpoint directly?
$ curl http://blur.ctf:33433/features/1/toggle -i
Too bad seems like we are not allowed to…
Let’s move on.
Let’s focus a moment on the upload function. Only SVG file are allowed.
As a reminder:
Scalable Vector Graphics (SVG) is an Extensible Markup Language (XML)-based vector image format for two-dimensional graphics with support for interactivity and animation.
SVG is based on XML. We can actually see the SVG content when uploading our file:
Having a XML file being send and proceeded to the server open door to very common vulnerability: XXE injection.
XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application’s processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any backend or external systems that the application itself can access.
In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other backend infrastructure, by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks.
We should give a try by crafting a malicious SVG file to exploit XXE Injection. Here how we should be able to read the server
We save it, upload it to the app and…. Well nothing really happen. Since the app try to draw the SVG and don’t proceed correctly the text.
Let’s try to find another way.
Another way to exploit XXE Injection is to use it to perform server-side request forgery (SSRF) attacks.
Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing.
In typical SSRF examples, the attacker might cause the server to make a connection back to itself, or to other web-based services within the organization’s infrastructure, or to external third-party systems.
Since we are not even sure that our XXE injection worked, let’s try another payload. This time we are going to try performing an a SSRF, in other words, make the server request an URL we control.
To give it a try let’s open a simple Python server on our machine:
$ python -m http.server
And include our server URL in the SVG payload:
Once we upload the SVG file we can see a new request have been made to our server:
$ python -m http.server
Bingo! We got the confirmation that our XXE Injection is working and we can do SSRF.
Now what ?
Remember those “locked” features we couldn’t activate earlier ? Maybe we can toggle it directly from the server using SSRF ?
Let’s give a try with the following SVG file:
Now we reload the page and we can see the feature got activated:
- XML external entity (XXE) injection | Web Security Academy
- XML External Entity (XXE) Processing | OWASP
- Server-side request forgery (SSRF) | Web Security Academy
- Server Side Request Forgery | OWASP
- How To: Server-Side Request Forgery (SSRF) | HackerOne Wiki
- SSRF was used to retrieve AWS credentials that were then used to steal the personal information of over 100 million Capital One customers.
- SSRF in Exchange leads to ROOT access in all Shopify instances ($25,000) | HackerOne
- XXE on sms-be-vip.twitter.com in SXMP Processor ($10,080) | HackerOne
- XXE at Starbuck.com.cn ($4,000) | HackerOne
- XXE in Site Audit function exposing file and directory contents ($2,000) | HackerOne
- XXE on pulse.mail.ru ($6,000) | HackerOne
- Unauthenticated blind SSRF in OAuth Jira authorization controller ($6,000) | HackerOne
That’s it folks! As always do not hesitate to contact me for any questions or feedbacks!
See you next time ;)