1
00:00:07,920 --> 00:00:13,760
OK, so in the last lecture, we took a look at sensitive data disclosures and now we will investigate

2
00:00:14,100 --> 00:00:21,010
X, X, X, X, right.

3
00:00:21,300 --> 00:00:33,030
And this actually stands for X amount of external entity entity injection.

4
00:00:35,190 --> 00:00:35,490
All right.

5
00:00:35,500 --> 00:00:36,460
So so what is this?

6
00:00:36,840 --> 00:00:41,670
Well, ximo external entity injection is a webapp vulnerability.

7
00:00:41,970 --> 00:00:42,290
Right.

8
00:00:42,300 --> 00:00:50,150
And it allows an attacker to sort of interfere with the way a webapp processes ximo data.

9
00:00:51,090 --> 00:00:57,240
And really the impact can range from local phyll exposure, you know, ofis so we can write that here

10
00:00:58,680 --> 00:01:02,030
and it can go all the way to something like SRF.

11
00:01:02,940 --> 00:01:08,580
So by local fire exclusion, I mean that the attacker can, you know, potentially exfiltrate files

12
00:01:08,850 --> 00:01:10,740
directly from the local filesystem.

13
00:01:11,400 --> 00:01:19,020
And by SRF, I'm talking about server side request forgery where an attacker is able to pivot to adjacent

14
00:01:19,020 --> 00:01:19,680
systems.

15
00:01:20,070 --> 00:01:20,400
Right.

16
00:01:22,430 --> 00:01:23,580
These are some other systems here.

17
00:01:24,490 --> 00:01:32,380
And launch attacks from the position of the compromised Web app, so this can be a devastating attack

18
00:01:32,710 --> 00:01:36,870
and one of the best ways to test this vector is to look for input form fields.

19
00:01:37,300 --> 00:01:38,590
And we're going to do that.

20
00:01:38,600 --> 00:01:39,510
We're going to log to the Web.

21
00:01:39,610 --> 00:01:40,390
We're going to look around.

22
00:01:40,600 --> 00:01:45,850
And one of the reasons we're going to authenticate is because, in my experience, credentialled inspection

23
00:01:45,850 --> 00:01:51,390
usually yields better fruit than unauthenticated tests, and it's good news and bad news.

24
00:01:51,730 --> 00:01:55,840
The bad news is we can't actually run this test in the environment we have set up right now because

25
00:01:56,140 --> 00:02:01,780
Duchamp is sitting inside of a docker environment ximo external entity and injection won't work in a

26
00:02:01,780 --> 00:02:03,990
container but have no fear.

27
00:02:04,000 --> 00:02:09,490
I'm going to show you how you can set up a wasp juice shop from source and we're going to install no,

28
00:02:09,490 --> 00:02:13,540
just the latest version and then we're going to run this attack and I'm going to show you just how devastating

29
00:02:13,540 --> 00:02:18,280
it could be and how awesome it is, to be honest, and why you should understand how this works.

30
00:02:18,730 --> 00:02:18,970
All right.

31
00:02:18,970 --> 00:02:20,290
So let's jump right into this.

32
00:02:20,530 --> 00:02:23,260
Let's go to the juice shop at GitHub.

33
00:02:23,470 --> 00:02:24,060
Here we are.

34
00:02:24,670 --> 00:02:30,340
And the first thing we need to do is get the latest version of Node.

35
00:02:30,920 --> 00:02:31,930
OK, so we go to.

36
00:02:32,680 --> 00:02:35,420
Let's see here, packaged distribution's.

37
00:02:36,840 --> 00:02:39,690
You can see here we need to install a 64 bit just now.

38
00:02:39,710 --> 00:02:40,950
This is why it's kind of complicated.

39
00:02:42,090 --> 00:02:47,090
Because if you click on this takes you down here and you say, OK, so any 15 tracks, right?

40
00:02:47,600 --> 00:02:48,600
Well, how do I do that?

41
00:02:49,290 --> 00:02:51,290
Well, you can go to, you know, just that.

42
00:02:51,300 --> 00:02:52,230
All right.

43
00:02:54,630 --> 00:02:55,440
And it's like, all right.

44
00:02:57,080 --> 00:02:58,350
15 tracks, where is it?

45
00:02:58,640 --> 00:02:59,510
I don't see it right.

46
00:02:59,900 --> 00:03:01,590
OK, so this is what you need to do, guys.

47
00:03:02,000 --> 00:03:06,770
You go to no JAG and what you can do is click on other downloads.

48
00:03:08,450 --> 00:03:13,200
You go down, you want to look for the installing no jobs via the package manager.

49
00:03:13,730 --> 00:03:13,830
Right.

50
00:03:13,870 --> 00:03:14,460
So click that.

51
00:03:15,780 --> 00:03:20,740
Then you want to scroll down to Debian and Umbanda, because that's what we have running at your shop.

52
00:03:20,880 --> 00:03:21,780
See, I got shop.

53
00:03:22,810 --> 00:03:26,050
Your name, but your name tag.

54
00:03:28,280 --> 00:03:30,230
That's the issue.

55
00:03:30,650 --> 00:03:35,720
All right, and do so we're running a Mbuti 20 10, so that's obviously what we want.

56
00:03:35,720 --> 00:03:40,300
So we click on the Debian and Boonchu based Linux distribution, and that takes us here a bit of a radical.

57
00:03:40,310 --> 00:03:40,630
I know.

58
00:03:41,030 --> 00:03:41,720
So we need to know.

59
00:03:41,720 --> 00:03:47,570
Jazmyne, every distribution available for node source, like they're going to take it to the GitHub

60
00:03:48,410 --> 00:03:50,030
and you should go down.

61
00:03:52,520 --> 00:03:53,390
Until you find.

62
00:03:54,990 --> 00:03:59,970
15 X and Y, 15 x y control click this.

63
00:04:02,440 --> 00:04:08,560
You see, if we go back here, you see 15 X with the latest supported and tested version of Dogz for

64
00:04:08,890 --> 00:04:09,460
teashop.

65
00:04:10,510 --> 00:04:13,900
So all we need to do now is run this and then nets to get it installed.

66
00:04:13,930 --> 00:04:19,980
Now, if you just run this last part app, install no jass, you'll get the older version of no charge.

67
00:04:19,990 --> 00:04:22,720
You won't get the 15 attacks and therefore you shop might not work.

68
00:04:23,290 --> 00:04:24,520
So let's go ahead and get this going.

69
00:04:26,350 --> 00:04:30,550
Go back to teashop with director, we are here.

70
00:04:30,840 --> 00:04:33,760
Let's make sure our docker container is not running so it's not.

71
00:04:37,710 --> 00:04:41,370
Like the set up just to make sure I'm I'm seeing everything that I'm expecting.

72
00:04:41,400 --> 00:04:41,560
Right.

73
00:04:41,580 --> 00:04:46,260
So it's not running and we are in the home directory.

74
00:04:46,260 --> 00:04:46,460
All right.

75
00:04:46,470 --> 00:04:47,370
So let's just call it down

76
00:04:50,760 --> 00:04:51,060
there.

77
00:04:51,130 --> 00:04:58,490
That node source, dot com set up 15 dot x pipe.

78
00:04:58,500 --> 00:05:01,110
That to zero and bash.

79
00:05:03,320 --> 00:05:08,930
Right, so we'll let this run and then once it finishes, well, then run setto apt, install no jazz

80
00:05:09,860 --> 00:05:13,490
and the Taqua is basically going to tell it to update everything.

81
00:05:13,490 --> 00:05:14,060
Don't prompt.

82
00:05:14,120 --> 00:05:14,380
Right.

83
00:05:14,410 --> 00:05:19,650
So if I say pseudo app install node just Taqwa says yes, I won't.

84
00:05:19,670 --> 00:05:20,000
Yes.

85
00:05:20,000 --> 00:05:24,130
For the defaults and that'll get things going.

86
00:05:26,330 --> 00:05:27,710
All right, so we'll come back once this finishes.

87
00:05:27,740 --> 00:05:28,850
All right, see you guys in a little bit.

88
00:05:29,510 --> 00:05:31,390
Right to that finish in just a few seconds.

89
00:05:31,970 --> 00:05:34,420
Now we're going to want to do is clone the repo.

90
00:05:35,000 --> 00:05:37,350
So if we go back to the GitHub, we can see what we need to do.

91
00:05:38,060 --> 00:05:38,780
Get clone.

92
00:05:38,900 --> 00:05:39,530
Here's the repo.

93
00:05:40,280 --> 00:05:41,120
That's step number two.

94
00:05:42,050 --> 00:05:44,050
Because we've already got no installed, right?

95
00:05:44,120 --> 00:05:48,650
And the way we can check, by the way, we can type no jazz version.

96
00:05:50,330 --> 00:05:51,250
No deaths.

97
00:05:53,060 --> 00:05:57,190
Which no jazz, that is really, really weird.

98
00:05:59,160 --> 00:06:01,690
Oh, I think it's because it's just no verdure.

99
00:06:02,490 --> 00:06:03,450
Yeah, there we go.

100
00:06:03,480 --> 00:06:03,780
All right.

101
00:06:03,780 --> 00:06:05,010
I was starting to freak out for a little bit.

102
00:06:05,760 --> 00:06:06,010
All right.

103
00:06:06,010 --> 00:06:09,760
So we've got version 15 dot 14 dot zero, which is good.

104
00:06:10,590 --> 00:06:13,860
So now we can do is calling this repo

105
00:06:16,740 --> 00:06:17,850
and we'll just call it in here.

106
00:06:18,630 --> 00:06:18,960
Right.

107
00:06:19,650 --> 00:06:24,300
CEDO get Klown to put this guy in here to you.

108
00:06:24,540 --> 00:06:29,120
Shop Dot get four slash.

109
00:06:29,400 --> 00:06:29,730
All right.

110
00:06:29,790 --> 00:06:30,420
I type that right.

111
00:06:30,840 --> 00:06:31,530
Apparently I did.

112
00:06:32,580 --> 00:06:32,820
All right.

113
00:06:32,820 --> 00:06:34,970
So once that finishes, we'll just go to the next step.

114
00:06:35,550 --> 00:06:40,200
We will see into that folder and then run npm install ampm start.

115
00:06:40,200 --> 00:06:45,480
And we'll need to run this as root because, you know, we can't really do this without having privileges,

116
00:06:45,480 --> 00:06:47,440
so we'll just pseudo npm install.

117
00:06:48,600 --> 00:06:52,890
OK, so you see there's some stuff in here we can do.

118
00:06:52,890 --> 00:06:55,170
CEDO npm install.

119
00:06:57,730 --> 00:06:58,700
Let's get this guy going.

120
00:06:59,380 --> 00:07:00,460
This part takes the longest.

121
00:07:00,940 --> 00:07:04,540
So we'll let this run and then we'll, you know, we'll return once this finishes.

122
00:07:04,840 --> 00:07:05,140
All right.

123
00:07:05,140 --> 00:07:05,980
I'll see you guys in a little bit.

124
00:07:06,700 --> 00:07:07,080
All right.

125
00:07:07,090 --> 00:07:09,940
That took a solid like 13, 14 minutes.

126
00:07:10,270 --> 00:07:15,910
But now that we're done, we can type zero in RPM start and it should start in the second part three

127
00:07:15,910 --> 00:07:16,290
thousand.

128
00:07:16,690 --> 00:07:19,900
If it doesn't, that's probably because three 3000 is already listening for you.

129
00:07:20,260 --> 00:07:29,500
And then you can run like pseudo a space S.S. space minus A.l and then space pipe space and then grab

130
00:07:29,500 --> 00:07:35,050
four point three thousand, find the process and kill it with zero space, kill space minus nine and

131
00:07:35,050 --> 00:07:36,360
then space the process Heidi.

132
00:07:36,750 --> 00:07:37,000
All right.

133
00:07:37,000 --> 00:07:42,490
So now that we're listening to import three thousand, let's see if we can access the webapp so we can

134
00:07:42,490 --> 00:07:43,910
go back to Kalay.

135
00:07:44,300 --> 00:07:49,110
Let's go to our Web application and let's go to our site.

136
00:07:49,540 --> 00:07:50,840
You that carbon buy.com.

137
00:07:51,580 --> 00:07:51,850
All right.

138
00:07:51,970 --> 00:07:54,250
So that's always a good sign, right?

139
00:07:54,400 --> 00:07:56,140
So let's go ahead and log into our account.

140
00:07:59,220 --> 00:08:01,850
The cookie to clear hockey, OK, we can do that.

141
00:08:02,030 --> 00:08:03,170
Let's clear out all this.

142
00:08:05,210 --> 00:08:05,480
All right.

143
00:08:05,480 --> 00:08:06,860
So let's log into our account.

144
00:08:10,190 --> 00:08:11,160
This is how we like it.

145
00:08:11,190 --> 00:08:12,440
This is our back door.

146
00:08:23,220 --> 00:08:26,850
All right, so now we're logged in as an admin, if you have questions about why this locked me, hasn't

147
00:08:27,180 --> 00:08:28,720
logged me in as an admin.

148
00:08:29,010 --> 00:08:34,830
Check out the sequel injection talk lecture earlier in the series right now that were logged in.

149
00:08:34,830 --> 00:08:39,600
Let's just click around and you can see we've got, like, you know, customer feedback.

150
00:08:39,990 --> 00:08:41,550
So there is some user input here.

151
00:08:41,550 --> 00:08:42,720
I don't see any forums now.

152
00:08:43,410 --> 00:08:45,140
So that's not really that useful.

153
00:08:46,230 --> 00:08:47,310
Let's see complaints.

154
00:08:48,510 --> 00:08:51,410
Customer, I've got a message and I can upload something.

155
00:08:51,420 --> 00:08:55,160
So this is a prime candidate for Xixi testing, right.

156
00:08:55,170 --> 00:08:56,340
So I'm going to get berp going.

157
00:08:58,350 --> 00:09:00,150
And let's see what we can do,

158
00:09:03,450 --> 00:09:03,990
starpower.

159
00:09:04,320 --> 00:09:09,540
We're going to make sure that we intercept the response so that we can see what the application returns

160
00:09:09,540 --> 00:09:09,960
to us.

161
00:09:09,960 --> 00:09:14,500
The attacker, it's really important, especially when you have everything going through a repeater.

162
00:09:15,390 --> 00:09:21,000
So if we go to proxy, take off intercept for a second, go to options, make sure civil response is

163
00:09:21,000 --> 00:09:21,390
checked.

164
00:09:23,320 --> 00:09:29,890
And let's see here, let's go ahead and look up some payloads.

165
00:09:31,420 --> 00:09:32,680
Take it out of here for a second.

166
00:09:34,330 --> 00:09:40,760
All right, so Google the payloads, all the things, is actually a really good one to use.

167
00:09:40,900 --> 00:09:42,420
So we probably should check that out first.

168
00:09:42,940 --> 00:09:44,950
I don't even see it in this list for some reason.

169
00:09:45,460 --> 00:09:50,010
It's just type payload, all the things Xixi.

170
00:09:51,980 --> 00:09:52,940
See what we've got here?

171
00:09:54,280 --> 00:09:57,460
Ximo external entity injection, where are you?

172
00:09:58,360 --> 00:09:59,710
All right, the injection.

173
00:09:59,740 --> 00:10:00,280
Yes.

174
00:10:01,720 --> 00:10:03,250
All right, so here you can see a summary, right?

175
00:10:04,420 --> 00:10:09,400
And Ximo external entity attack is a type of attack against an application that passes Ximo input and

176
00:10:09,400 --> 00:10:10,900
allows ximo entities.

177
00:10:11,530 --> 00:10:16,210
Now, in order to make this work, we actually need we actually need two things.

178
00:10:16,810 --> 00:10:22,680
First, we need the DOCTYPE element, which you'll probably see here somewhere in these payloads.

179
00:10:23,260 --> 00:10:23,860
Does it show it.

180
00:10:24,100 --> 00:10:24,400
Yeah.

181
00:10:24,880 --> 00:10:31,900
So we need the DOCTYPE element and this is basically the reason we need this because this defines an

182
00:10:31,900 --> 00:10:32,740
external entity.

183
00:10:33,970 --> 00:10:40,600
For example, here the external entity is named example and you can see we're using it there.

184
00:10:40,870 --> 00:10:45,910
So we need this DOCTYPE definition to define this external entity and then we're going to point this

185
00:10:45,910 --> 00:10:49,030
external entity to the path of a file that we want to expel.

186
00:10:49,510 --> 00:10:54,340
And then the second thing we need is a way to edit this data value that is returned in the application

187
00:10:54,340 --> 00:10:58,290
response so we can make use of that that entity in this case example.

188
00:10:58,300 --> 00:10:58,520
Right.

189
00:10:59,560 --> 00:11:04,110
So there may be some kind of complicated and it's not so bad once you actually make this work.

190
00:11:04,120 --> 00:11:04,900
So let's try this out.

191
00:11:05,530 --> 00:11:06,520
Let's grab this guy right here.

192
00:11:07,900 --> 00:11:08,650
We'll break this down.

193
00:11:09,790 --> 00:11:11,860
Let's open up mouse pad.

194
00:11:15,940 --> 00:11:20,140
Let's just expand this out little bit, it's a little easier to see.

195
00:11:26,750 --> 00:11:29,060
So you can see here we've got this.

196
00:11:30,450 --> 00:11:32,940
Entity called Test, we're defining an entity.

197
00:11:32,970 --> 00:11:39,150
This is an entity test, OK, and we're saying, OK, we want to have system abilities, meaning we

198
00:11:39,150 --> 00:11:42,630
want to be able to access an external path.

199
00:11:42,840 --> 00:11:45,440
And here are the external path is the local filesystem.

200
00:11:46,530 --> 00:11:55,230
And then we're just referencing that entity here with this ampersand inside of these root tags, which

201
00:11:55,230 --> 00:11:57,150
we defined up here.

202
00:11:57,840 --> 00:11:59,400
OK, so that's all we're going to do.

203
00:11:59,400 --> 00:12:02,810
We're just going to try to run this and see if we can get access to ETSI password.

204
00:12:02,820 --> 00:12:06,660
Now, typically, we should not have access to this, but if the Web application is running this route,

205
00:12:07,350 --> 00:12:10,170
then we may have access and that's what we want to see.

206
00:12:10,530 --> 00:12:13,380
So let's just name this something easy.

207
00:12:14,220 --> 00:12:22,420
So we'll go to let's see, put it in documents and we'll name it when name it complaints that XML.

208
00:12:22,650 --> 00:12:23,010
OK.

209
00:12:24,960 --> 00:12:25,760
All right, look at that.

210
00:12:25,770 --> 00:12:29,760
If you put all the colors inside, that's because Mousepad recognizes this is an XML document.

211
00:12:30,480 --> 00:12:30,680
Right.

212
00:12:30,690 --> 00:12:31,410
So now we're going to do.

213
00:12:32,130 --> 00:12:33,600
Let's get back here.

214
00:12:34,950 --> 00:12:37,050
And we want to filter this thing through brb.

215
00:12:38,900 --> 00:12:43,580
I'm going to put in the complaint, we'll just call it just to test, right, and we're going to browse.

216
00:12:45,470 --> 00:12:49,640
Let's go ahead and grab that document that we don't see it, we need to change the all support types

217
00:12:50,240 --> 00:12:52,270
to all files.

218
00:12:55,470 --> 00:12:59,570
And, you know, this is a complaint box, they have little reason to accept XML documents, right?

219
00:12:59,580 --> 00:13:04,860
I mean, there should be an invoice, so it should be a PDF or an Excel s, not an XML.

220
00:13:05,490 --> 00:13:07,590
So that's a finding right there for people to upload this.

221
00:13:08,350 --> 00:13:10,160
So let's go ahead and put int. on.

222
00:13:10,710 --> 00:13:12,000
We're going to say submit.

223
00:13:12,590 --> 00:13:12,990
All right.

224
00:13:13,230 --> 00:13:14,790
So here you can see the file we're going to submit.

225
00:13:15,460 --> 00:13:18,270
This is the payload that we typed out.

226
00:13:18,640 --> 00:13:24,870
I'm going to press control our control ship are and then control space to send and how we're going to

227
00:13:24,870 --> 00:13:27,570
observe the response that you can see that there was an error sent.

228
00:13:28,350 --> 00:13:35,880
What we're looking for, of course, is the ETSI password contents is well over to the right.

229
00:13:38,440 --> 00:13:38,950
Look at that.

230
00:13:39,750 --> 00:13:41,620
Oh, man, this is this is delicious.

231
00:13:43,240 --> 00:13:49,090
All right, so can you guys see that what we're looking at here is the contents of ETSI password's hard

232
00:13:49,090 --> 00:13:49,270
to see.

233
00:13:49,270 --> 00:13:50,170
It is hard to highlight.

234
00:13:51,010 --> 00:13:53,110
If I scroll over to the right, you can see.

235
00:13:54,760 --> 00:13:55,810
It's all on one line, right?

236
00:13:55,960 --> 00:13:59,770
The whole files just collapsed on one line, there's no line breaks, but we just exfiltrate at this

237
00:13:59,770 --> 00:14:00,050
file.

238
00:14:00,280 --> 00:14:03,650
Now, this is good for us as an attacker because now we can do all kinds of crazy stuff.

239
00:14:03,970 --> 00:14:08,870
So check this out, but say now we want to see what operating system is running on this Web server.

240
00:14:09,310 --> 00:14:14,820
Well, what we need to do is look at the NSA issue until space well over to the right.

241
00:14:16,830 --> 00:14:19,980
Hey, that's even better than EMAP and Moonta 20 dottiness running.

242
00:14:20,380 --> 00:14:21,110
Isn't that nice?

243
00:14:21,460 --> 00:14:25,870
Now that I know I'm only twenty 2010 is running, I can look to see if I can find out the local IP address.

244
00:14:26,740 --> 00:14:27,340
How do I know that?

245
00:14:27,340 --> 00:14:35,250
Because if you Google Mbutu 20, you can see that it's stored in ETSI in plan zero zero installer config

246
00:14:35,250 --> 00:14:36,490
that yaml by default.

247
00:14:37,690 --> 00:14:38,280
And look at that.

248
00:14:38,290 --> 00:14:38,740
I've got it.

249
00:14:39,430 --> 00:14:42,990
I've got the local IP addresses, I've got the name servers that are configured on the server.

250
00:14:44,530 --> 00:14:47,320
This is absolutely delicious.

251
00:14:50,120 --> 00:14:53,670
I've got the internal IP address of the Web server, right?

252
00:14:54,110 --> 00:14:58,400
So from the attacker perspective now it's our renumerated.

253
00:14:58,400 --> 00:15:06,470
Maybe I can do a port scan internally on this 10, 100 zero zero size 24 subnet, because remember,

254
00:15:10,400 --> 00:15:15,260
this is the IP address, the public quote unquote, IP address that we're hitting, but we now know

255
00:15:15,260 --> 00:15:18,890
the internal IP address and that is awesome.

256
00:15:18,960 --> 00:15:22,160
So one of the best defenses against this is really, really straightforward.

257
00:15:22,640 --> 00:15:27,680
Just make sure you disable external entities, you know, via the configuration file or the documentation

258
00:15:27,680 --> 00:15:29,100
for your given password.

259
00:15:30,020 --> 00:15:32,570
You know, there's very little business reason for leaving this enabled.

260
00:15:32,990 --> 00:15:35,890
So, you know, you should turn that off or things like this can happen.

261
00:15:36,110 --> 00:15:43,490
And so the app is running his route, have access to all kinds of things, including Etsy Shadow, which

262
00:15:43,490 --> 00:15:44,730
contains the hash password, right?

263
00:15:45,860 --> 00:15:46,130
Yeah.

264
00:15:46,730 --> 00:15:48,380
So it just gets worse and worse.

265
00:15:48,410 --> 00:15:50,030
Guys, this is really bad, right?

266
00:15:50,150 --> 00:15:54,560
So this would definitely be in the report that we would type up and send to the client because this

267
00:15:54,560 --> 00:15:55,730
would be a critical finding.

268
00:15:56,270 --> 00:15:56,610
All right.

269
00:15:56,610 --> 00:15:57,530
So I hope that makes sense.

270
00:15:57,530 --> 00:16:00,600
In the next lecture, we're going to get into broken access control.

271
00:16:00,620 --> 00:16:04,160
So let's continue with our own journey and dig into broken access control.

272
00:16:04,490 --> 00:16:05,750
See in all of it by.