1
00:00:01,050 --> 00:00:01,700
Welcome back.

2
00:00:02,490 --> 00:00:05,490
Let's discuss a vulnerability called x x.

3
00:00:06,660 --> 00:00:09,970
Now, first of all, what does he stand for?

4
00:00:10,650 --> 00:00:14,250
It stands for XML entity injection.

5
00:00:15,270 --> 00:00:23,400
It happens once an application takes the user input in XML format and it processes external entities

6
00:00:23,400 --> 00:00:25,190
that are declared inside of it.

7
00:00:26,280 --> 00:00:32,009
If that happens, it could be vulnerable to X, X, E or X implanted injection.

8
00:00:32,670 --> 00:00:37,170
Let's take a look at the example of this vulnerability on our Web application.

9
00:00:38,080 --> 00:00:45,570
So let's go to choose our book scroll a little bit down till a seven and all the way down we have XML

10
00:00:45,580 --> 00:00:52,660
internal entity attacks or in brackets Xixi selected and click on Hack.

11
00:00:53,690 --> 00:00:59,160
This followed this very simple application, there is no user input here.

12
00:00:59,210 --> 00:01:03,230
All we have is this of reset your secret to any bugs.

13
00:01:04,040 --> 00:01:07,700
So this is about let's see what happens once we Crickett.

14
00:01:10,130 --> 00:01:21,200
Hmmm, it appears that nothing really happens, let's try intercepting this request inside of our circle

15
00:01:21,230 --> 00:01:25,970
up here, turn on the intercept and let's click on any box.

16
00:01:27,470 --> 00:01:35,570
We get this request, and if we take a look down here, we have the application processing some inputs

17
00:01:35,570 --> 00:01:44,480
in XML format and remember what that means if it's also processes our external entities that we are

18
00:01:44,480 --> 00:01:45,830
going to inject.

19
00:01:46,220 --> 00:01:48,280
It could be vulnerable to the.

20
00:01:49,500 --> 00:01:56,370
But before we actually get to injecting anything, let's first send this request to the repeater.

21
00:01:57,550 --> 00:02:00,660
Let's go action and send to repeater.

22
00:02:01,360 --> 00:02:04,390
We can turn off the intercept and navigate to the repeater.

23
00:02:05,390 --> 00:02:12,710
If we take a closer look, we're going to notice that this request is sending XML structure with our

24
00:02:12,740 --> 00:02:13,550
user name.

25
00:02:13,580 --> 00:02:18,700
So this is our account on boire publication and with a secret.

26
00:02:19,250 --> 00:02:24,500
So let's try ejecting a simple payload to see whether this is vulnerable to Xixi.

27
00:02:25,250 --> 00:02:29,240
And the payload that we are going to inject will be this one.

28
00:02:30,170 --> 00:02:36,750
I'm just going to tie between payload or to 60 real quick and then we are going to copy it.

29
00:02:37,310 --> 00:02:40,460
So this will be our payload DOCTYPE.

30
00:02:42,380 --> 00:02:50,170
Test, let's call it test, then we open square brackets and we create our own entity like this with

31
00:02:50,210 --> 00:02:58,720
type capital entity, let's call the entity internal that entity and let's name it.

32
00:02:58,850 --> 00:02:59,300
But.

33
00:03:00,870 --> 00:03:08,220
So close off all of the tax and this will be our paillard, so essentially what we're doing right here

34
00:03:08,220 --> 00:03:14,820
is we're creating an entity called internal entity, which will have value of boss and boss, will be

35
00:03:14,820 --> 00:03:19,070
a new user that we're going to try to switch inside of our parent.

36
00:03:20,020 --> 00:03:22,770
Now, how are we going to know whether this works?

37
00:03:23,130 --> 00:03:27,510
Well, if we go to our Burset and we send it this simple request.

38
00:03:28,680 --> 00:03:37,170
In the response to this request, we get this sentence right here, it says This secret has been reset.

39
00:03:38,090 --> 00:03:45,740
If our payload gets processed inside of this request, then here it will say, boss, secret has been

40
00:03:45,740 --> 00:03:46,250
reset.

41
00:03:46,890 --> 00:03:47,890
Let's give it a try.

42
00:03:48,710 --> 00:03:51,320
Let's go and copy our payload.

43
00:03:54,880 --> 00:04:03,190
Let's put it up here right above the XML code that they have, so let's paste it right here.

44
00:04:03,610 --> 00:04:05,830
And this is not the only thing that we must do.

45
00:04:06,130 --> 00:04:10,850
We must also change this part right here, since we want to change the user.

46
00:04:10,870 --> 00:04:14,200
We also want to specify which user we want right here.

47
00:04:14,800 --> 00:04:19,010
And the user that we want is stored in this internal entity.

48
00:04:19,510 --> 00:04:22,570
All we have to do is specified it right here.

49
00:04:25,070 --> 00:04:33,330
To do that, we use this sign and then we specify the name of our entity or in our case, internal Desh

50
00:04:33,350 --> 00:04:39,650
entity and semicolon at the end once we send this bill.

51
00:04:41,410 --> 00:04:48,700
Here it is, we get boss secret has been reset, it's no longer the user beat.

52
00:04:49,860 --> 00:04:57,480
In this payload that we created, this internal entity that has a value of boss is used within the login

53
00:04:57,480 --> 00:05:00,900
structure and it got reflected right here in the response.

54
00:05:01,890 --> 00:05:08,320
This means that everything will load through this entity, the server will process and reflect.

55
00:05:09,000 --> 00:05:12,170
So let's try with even more dangerous Paillot.

56
00:05:12,300 --> 00:05:16,620
Let's try to catch the content of etsi past ability.

57
00:05:17,220 --> 00:05:21,810
We can do that by typing this comment or this payload doctype.

58
00:05:22,820 --> 00:05:26,300
Let's call it pest and open square brackets.

59
00:05:26,330 --> 00:05:28,340
We want to create an entity once again.

60
00:05:29,360 --> 00:05:35,240
And we can call it anything we want, we can call it Xixi if we want, or we can just stick with internal

61
00:05:35,240 --> 00:05:35,790
entity.

62
00:05:36,230 --> 00:05:38,660
This is pretty much your choice, how you're going to call it.

63
00:05:38,900 --> 00:05:44,900
And now we're going to call a parameter called system, make sure to type it in capitals.

64
00:05:44,900 --> 00:05:52,670
The capital system, which will take the value between the double quotes of file column three slashes

65
00:05:52,670 --> 00:05:55,370
and then at Seagate has the ability.

66
00:05:55,790 --> 00:05:58,530
This is the file that we want to get the contents from.

67
00:05:59,090 --> 00:06:06,920
Let's not forget to close off our text like this, and this will be our payload for the Xixi.

68
00:06:07,670 --> 00:06:09,830
We are using this system parameter.

69
00:06:10,250 --> 00:06:14,530
We define it in order to get our external entity to load the file.

70
00:06:15,170 --> 00:06:18,980
In our case, the file that preloading is at sea past the.

71
00:06:20,340 --> 00:06:27,600
If this works correctly, once we loaded, the server should show the content of this file in response

72
00:06:27,600 --> 00:06:28,500
to our request.

73
00:06:28,860 --> 00:06:29,940
Let's copy this.

74
00:06:33,090 --> 00:06:37,200
Go back to our Burset, let's delete this.

75
00:06:38,740 --> 00:06:45,370
Paste our new payload, and since we called it once again internal entity, there is nothing really

76
00:06:45,370 --> 00:06:46,420
to change right here.

77
00:06:46,420 --> 00:06:48,870
We can leave it to be internal entity.

78
00:06:49,060 --> 00:06:54,850
But if you were to call it differently in your payload, make sure you switch the name right here as

79
00:06:54,850 --> 00:06:55,110
well.

80
00:06:56,350 --> 00:06:58,150
Also, let's send this.

81
00:06:59,430 --> 00:07:10,080
And here it is, we get the output of slash at sea slash file on the target system and this is Xixi

82
00:07:10,080 --> 00:07:10,820
vulnerability.

83
00:07:11,670 --> 00:07:15,970
Now that we cover that, we're going to take a look at the different type of vulnerability in the next

84
00:07:15,970 --> 00:07:19,860
lecture, which is called Components with known vulnerabilities.

85
00:07:20,760 --> 00:07:21,330
So there.