If you're a returning visitor to our CTF Recaps, feel free to dive straight into the insights! For first-time explorers, let us quickly introduce you to the essence of these recaps. Wizer CTFs were introduced to challenge developers, encouraging them to adopt a hacker's mindset and thereby code more securely. This initiative is a pivotal part of our new security awareness training, specially crafted for development teams - Wizer's Secure Code Training for Developers!
After a challenge retires, our Wizer Wizard and CTO, Itzik Spitzen, crafts takeaways that offer valuable insights into the challenge, focusing on the defensive perspective for your script. Curious to test-drive a CTF before delving into the notes? Visit wizer-ctf.com – it's free, and there's something for all skill levels!
In this challenge, we identify an XXE (XML External Entity) vulnerability.
Our code is a user card creator, which creates an XML card populated with a few field values received as user-inputs. The user is able to input their role, first name and last name into the template creator. Upon receiving the user-inputs and before incorporating them into the template, the inputs are sanitized, removing all the occurrences of `<!` from them to prevent undesired tags injection.
Since the sanitization isn't complete, it does not recursively sanitize the string. It removes every presence of <! in the code, but that is not enough. Because if an attacker inputs <<!!, then the code will remove every presence of <! which still results in <! being present in the input.
An attacker who identifies the weakness, could easily bypass the sanitization by specifying `<<!!ENTITY` in order to get a single instance of `<!ENTITY`. By doing so, the attacker could use the SYSTEM attribute and include a system file's content as one of the valid arguments. In this case the entity should include the passwd file `SYSTEM \"file:///etc/passwd"`. The result should look like the image below:
XXE is considered an old vulnerability, and is often dismissed by many as irrelevant. However, we need to remember that while technologies’ lifecycle is short and rapid, many legacy software systems remain active and used for many years. XXE still exists in the wild and cannot be ignored. Furthermore, XXE is also listed as one of the OWASP top 10. As a server side vulnerability allowing an attacker to run commands on the server, it's a dangerous weakness which could be translated into a complete server takeover in certain cases.
Wanna join us on our next challenge? Sign up for our mailing list at wizer-ctf.com.