Advanced Web Application Attacks - CSRF and XXE

As web applications have become more prevalent, attackers have developed new and sophisticated methods to exploit them. Among these are Cross-Site Request Forgery (CSRF) and XML External Entity (XXE) attacks. These attacks can be devastating, leading to unauthorized access to sensitive information or the ability to execute arbitrary code on the victim’s system. In this article, we will explore these two advanced web application attacks and the techniques that attackers use to carry them out.

Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery, also known as XSRF, is a type of web application attack that forces an authenticated user to perform an unwanted action on a web application. In this type of attack, the attacker sends a malicious request to the web application using the victim’s authenticated session. The attacker’s request is crafted in such a way that it appears to be a legitimate request from the victim. When the victim’s browser sends the request, the web application processes it as if it came from the victim, leading to an undesired outcome.

For example, let’s assume that there is a web application that allows users to change their email address. The application requires users to be logged in to perform this action. An attacker can craft a malicious request that changes the victim’s email address to the attacker’s email address. The attacker then lures the victim into clicking a link that sends the malicious request to the web application. When the victim clicks the link, their browser sends the request to the web application using the victim’s authenticated session, and the email address is changed to the attacker’s email address.

To mitigate CSRF attacks, web applications can implement measures such as using anti-CSRF tokens. An anti-CSRF token is a random value that is generated by the web application and sent to the client as a hidden field in a form. When the client submits the form, the web application checks the token to ensure that the request is legitimate. If the token is missing or incorrect, the web application rejects the request.

Another mitigation technique is to implement SameSite cookies. SameSite cookies restrict the browser from sending cookies along with cross-site requests. If the cookie is not sent with the request, the web application can’t verify the user’s authentication, thus preventing CSRF attacks.

XML External Entity (XXE)

XML External Entity injection, or XXE, is a type of web application attack that exploits vulnerabilities in XML parsers. XML parsers are software components that read and interpret XML documents. When an XML parser processes an XML document, it may include references to external entities. An external entity is a piece of data that is stored outside of the XML document but is referenced within the document.

An XXE attack occurs when an attacker sends a malicious XML document to a vulnerable web application that includes a reference to an external entity. The attacker’s document is crafted in such a way that it causes the XML parser to read sensitive data from the server and return it to the attacker.

For example, let’s assume that there is a web application that allows users to upload an XML file. The application reads the file and displays the data to the user. An attacker can upload a malicious XML file that includes a reference to an external entity that points to a file containing sensitive data on the server. When the application reads the XML file, the XML parser follows the reference to the external entity, reads the sensitive data from the file, and returns it to the attacker.

To mitigate XXE attacks, web applications can implement measures such as disabling the use of external entities or limiting the types of external entities that can be used. Additionally, input validation can be used to ensure that uploaded files are in the expected format and do not contain malicious content.

Real-World Examples

The following are real world examples of CSRF and XXE attacks that have occurred in recent years:

CSRF Attacks

Facebook CSRF Attack: In 2018, a security researcher discovered a CSRF vulnerability in Facebook’s mobile application. The vulnerability allowed an attacker to change a user’s Facebook password without their knowledge or consent. The researcher reported the vulnerability to Facebook, and it was promptly fixed.
WordPress CSRF Attack: In 2015, a vulnerability in the WordPress content management system was discovered that allowed an attacker to take control of a website by creating a new administrator account. The vulnerability was due to a lack of anti-CSRF tokens in the WordPress login form. The issue was fixed in a subsequent update.

XXE Attacks

Uber XXE Attack: In 2016, Uber disclosed a vulnerability in their payment system that allowed an attacker to access sensitive information such as payment details and driver’s license numbers. The vulnerability was due to an XXE injection in the XML parser used by the payment system. The vulnerability was quickly patched after it was discovered.
Yahoo! XXE Attack: In 2015, a security researcher discovered an XXE vulnerability in Yahoo!’s email system that allowed an attacker to read any email on a victim’s account. The vulnerability was due to the XML parser used by the email system not properly sanitizing user input. The issue was fixed after it was reported to Yahoo!.

Tools for Exploiting CSRF and XXE Vulnerabilities

There are various tools that attackers can use to exploit CSRF and XXE vulnerabilities. Some of these tools include:

Burp Suite: Burp Suite is a popular tool used by penetration testers to test web applications. It includes features such as intercepting HTTP requests and responses, scanning for vulnerabilities, and generating and modifying requests.
OWASP ZAP: OWASP ZAP is an open-source web application scanner that is designed to identify vulnerabilities in web applications. It includes features such as automated scanning, manual testing, and API testing.
XXE Injection Framework: The XXE Injection Framework is a tool that automates XXE injection attacks. It includes a set of payloads and a scanner that can be used to identify vulnerabilities in web applications.

Traffic Samples of CSRF and XXE Attacks

In this section, we will provide traffic samples of CSRF and XXE attacks to illustrate how these attacks work in practice. These traffic samples were captured using a web application vulnerable to these attacks and the Burp Suite intercepting proxy.

CSRF Attack Traffic Sample

The following traffic sample shows a CSRF attack on a web application that allows users to change their email address. The attacker crafts a malicious request that changes the victim’s email address to the attacker’s email address. The attacker then lures the victim into clicking a link that sends the malicious request to the web application.

POST /change-email HTTP/1.1
Host: vulnerable-website.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 34
Origin: https://vulnerable-website.com
Connection: close
Referer: https://vulnerable-website.com/settings

email=attacker%40example.com

In this example, the attacker has crafted a POST request to the web application’s “/change-email” endpoint. The request contains the victim’s email address that the attacker wants to change, as well as the new email address of the attacker. The request is sent with the victim’s authenticated session and appears to be a legitimate request from the victim.

XXE Attack Traffic Sample

The following traffic sample shows an XXE attack on a web application that allows users to upload an XML file. The attacker uploads a malicious XML file that includes a reference to an external entity that points to a file containing sensitive data on the server.

POST /upload-xml HTTP/1.1
Host: vulnerable-website.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------533212977491794303117161017
Content-Length: 387
Origin: https://vulnerable-website.com
Connection: close
Referer: https://vulnerable-website.com/upload

-----------------------------533212977491794303117161017
Content-Disposition: form-data; name="xml"; filename="file.xml"
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<foo>&xxe;</foo>
-----------------------------533212977491794303117161017

In this example, the attacker has uploaded a malicious XML file to the web application’s “/upload-xml” endpoint. The XML file contains a reference to an external entity that points to the “/etc/passwd” file on the server. When the web application processes the XML file, the XML parser follows the reference to the external entity, reads the sensitive data from the file, and returns it to the attacker.

In this section, we have provided traffic samples of CSRF and XXE attacks to illustrate how these attacks work in practice. These traffic samples demonstrate the requests and payloads used by attackers to exploit vulnerabilities in web applications. By analyzing these traffic samples, security professionals can better understand these attacks and develop countermeasures to protect against them.

It is important to note that the traffic samples provided in this section were captured from a vulnerable web application and should not be used to carry out real-world attacks. It is illegal and unethical to conduct attacks on web applications without prior consent from the application owners.

Conclusion

Cross-Site Request Forgery and XML External Entity attacks are two of the most common and devastating web application attacks that attackers use to exploit vulnerabilities in web applications. As a red teamer or pen tester, it is crucial to understand these attacks and the techniques that attackers use to carry them out. By identifying and exploiting vulnerabilities in web applications, you can help organizations improve their security posture and protect against real-world attacks.

In conclusion, understanding and mitigating CSRF and XXE attacks are essential for protecting web applications against real-world threats. As a red teamer or pen tester, it is crucial to identify and exploit vulnerabilities in web applications to help organizations improve their security posture and protect against these attacks. By implementing measures such as anti-CSRF tokens, SameSite cookies, and input validation, web applications can significantly reduce the risk of CSRF and XXE attacks.

Cross-Site Request Forgery (CSRF)¶

XML External Entity (XXE)¶

Real-World Examples¶

CSRF Attacks¶

XXE Attacks¶

Tools for Exploiting CSRF and XXE Vulnerabilities¶

Traffic Samples of CSRF and XXE Attacks¶

CSRF Attack Traffic Sample¶

XXE Attack Traffic Sample¶

Conclusion¶