Detecting and Exploiting XXEs: AppSec Simplified
Static analysis is the most efficient way of uncovering most app vulnerabilities. In this tutorial, learn about finding XXE vulnerabilities in apps via code analysis.
Join the DZone community and get the full member experience.Join For Free
Welcome back to AppSec Simplified! Last time, we talked about the fascinating XXEs vulnerabilities and how they can affect your application. If you are not already familiar with XXEs, please read that post first!
Intro to XXE Vulnerabilities: AppSec SimplifiedThis time, let’s hunt for XXEs for real! We will be analyzing the source code of an example application that is vulnerable to XXEs: the OWASP WebGoat. You can download the application hereif you want to follow along with this exercise.
We’ll be using ShiftLeft’s NG-SAST scanner to hunt for XXEs. You can register for a free account here. After you register, you will be taken to a dashboard.
From there, go to “Add App” on the top right and click “use our CLI”. Follow the instructions to set up the command-line tool on your machine. We can now start analyzing any application for vulnerabilities!
Analyzing the App
Once you finish setting up the tool, execute this command in your terminal to analyze WebGoat.
PATH_TO_WEBGOAT_JAR_FILE is the location of the WebGoat JAR file on your machine.
Within a few minutes, you will see the results of the WebGoat scan uploaded to your dashboard.
Let’s dive into the findings! Click on the WebGoat project, and you should see findings sorted by vulnerability type on the bottom left. Click on the XXE label. This takes you to all the XXEs we found in WebGoat.
Let’s dive into one of these XXEs and try to exploit it! Click on one of the XXEs found. Here, I will be looking at “HTTP data to XML via
The NG-SAST tool tracks how data flows through applications to find patterns that indicate vulnerabilities. This window shows you where the vulnerability is located and how it happened, starting from the code that allowed the vulnerability to happen and going to where the vulnerability actually happened. In code analysis speak, these locations are called the “source” and the “sink” of that vulnerability.
You can see that the attacker’s entry point is on line 66 in a file called
SimpleXXE.java in a method named
createNewComment. Then, the attacker’s malicious input gets passed into line 87 of
Comments.java in a method named
parseXml. Let’s take a look at these locations and investigate!
Diving Into the Source Code
SimpleXXE.java here. You should see the method
createNewComment at line 66. What is this method doing?
commentStrin the request body) and passing it into the method
comments.parseXML(). In addition to the
parseXmlaccepts another parameter called
secure. If the request session has the attribute
securewill be true. Otherwise,
securewill be false. And from this snippet on line 113 of
SimpleXXE.java, we see that
applySecurityis only set when the path “/xxe/applysecurity” is used.
secure parameter is set to true, the XML parser properties
ACCESS_EXTERNAL_SCHEMA will be set to an empty string. These settings protect the parser from XXE attacks. But if
secure is false, the XML parser will parse the input string directly without protection. This means that attackers can launch an XXE attack as long as the session attribute
applySecurity is “null”!
Exploiting the XXE
Now that we understand where the vulnerability is and how we can trigger it, let’s run the server and launch an XXE attack. You can launch the WebGoat server by running this command in your terminal.
Access WebGoat by going to
localhost:8080/WebGoat. Navigate to
http://localhost:8080/WebGoat/start.mvc#lesson/XXE.lesson/3 to the page vulnerable to XXE. You should see a comment field. This is where
createNewComment is getting its input string from.
When you submit a comment on this page, your browser will send a POST request to like this one to WebGoat.
Hope you had fun with this tutorial! I sure had fun writing it. Static analysis is the most efficient way of uncovering most vulnerabilities in your applications. If you’re interested in learning more about ShiftLeft’s static analysis tool NG-SAST, visit us here.
Thanks for reading! What is the most challenging part of developing secure software for you? I’d love to know. Feel free to connect on Twitter @vickieli7.
Published at DZone with permission of Vickie Li. See the original article here.
Opinions expressed by DZone contributors are their own.