Skip to main content
SpringerLink
Log in

XHunter: Understanding XXE Vulnerability via Automatic Analysis

  • Conference paper
  • First Online:
Security and Privacy in Communication Networks (SecureComm 2021)

Abstract

XXE vulnerability is a severe cybersecurity threat. OWASP listed the 10 most serious web application security risks, and XXE ranked fourth. This vulnerability can lead to sensitive information leakage, DoS attacks, and intranet asset discovery. Little attention has been given to this problem, and manual work is still needed to detect these vulnerabilities. Here, we design a penetration test framework, XHunter, to discover and exploit XXE vulnerabilities automatically. XHunter can find the call chain that triggers a vulnerability and determine the vulnerability’s influence scope. Specifically, our work addresses many challenges in the analysis of modern web applications, such as object-oriented structures. In addition to detecting vulnerable sinks, we find the exploit path automatically. We give each vulnerability a risk rating based on the potential impact of the exploits. In this paper, we analyze 22 real-world web frameworks and find 8 unreported vulnerabilities, 2 of which have obtained CVE IDs.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Billion laughs attack. https://en.wikipedia.org/wiki/Billion_laughs_attack

  2. Chanzhi eps. https://github.com/goodrain-apps/chanzhieps

  3. Drupal. https://www.drupal.org/

  4. How we got read access on Google’s production servers. https://blog.detectify.com/2014/04/11/how-we-got-read-access-on-googles-production-servers/

  5. Joomla. https://www.joomla.org/

  6. OWASP top 10 application security risks - 2017. https://owasp.org/wwwprojecttopten/OWASP_Top_Ten_2017/Top_10-2017_Top_10.html

  7. PHP runtime vulnearbility detect. https://github.com/ExploreZone/prvd

  8. Security bulletin: Websphere application server is vulnerable to an information exposure vulnerability. https://www.ibm.com/support/pages/node/6334311. Accessed 24 Sept 2020

  9. XXE in OpenID of Facebook. https://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution

  10. XXE in WeChat pay SDK. https://seclists.org/fulldisclosure/2018/Jul/3

  11. Alhuzali, A., Eshete, B., Gjomemo, R., Venkatakrishnan, V.: Chainsaw: chained automated workflow-based exploit generation. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 641–652 (2016)

    Google Scholar 

  12. Alhuzali, A., Gjomemo, R., Eshete, B., Venkatakrishnan, V.: \(\{\)NAVEX\(\}\): precise and scalable exploit generation for dynamic web applications. In: 27th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 18), pp. 377–392 (2018)

    Google Scholar 

  13. Balzarotti, D., et al.: Saner: composing static and dynamic analysis to validate sanitization in web applications. In: 2008 IEEE Symposium on Security and Privacy (SP 2008), pp. 387–401. IEEE (2008)

    Google Scholar 

  14. Balzarotti, D., Cova, M., Felmetsger, V.V., Vigna, G.: Multi-module vulnerability analysis of web-based applications. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 25–35 (2007)

    Google Scholar 

  15. Cova, M., Balzarotti, D., Felmetsger, V., Vigna, G.: Swaddler: an approach for the anomaly-based detection of state violations in web applications. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 63–86. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74320-0_4

    Chapter  Google Scholar 

  16. Dahse, J., Schwenk, J.: RIPS-A static source code analyser for vulnerabilities in PHP scripts. In: Seminar Work (Seminer Çalismasi). Horst Görtz Institute Ruhr-University Bochum (2010)

    Google Scholar 

  17. Duchene, F., Groz, R., Rawat, S., Richier, J.L.: XSS vulnerability detection using model inference assisted evolutionary fuzzing. In: 2012 IEEE 5th International Conference on Software Testing, Verification and Validation, pp. 815–817. IEEE (2012)

    Google Scholar 

  18. Duchene, F., Rawat, S., Richier, J.L., Groz, R.: Kameleonfuzz: evolutionary fuzzing for black-box XSS detection. In: Proceedings of the 4th ACM conference on Data and Application Security and Privacy, pp. 37–48 (2014)

    Google Scholar 

  19. Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities. In: 2006 IEEE Symposium on Security and Privacy, SP 2006, pp. 258–263 (2006)

    Google Scholar 

  20. Lee, T., Wi, S., Lee, S., Son, S.: Fuse: finding file upload bugs via penetration testing. In: 2020 Network and Distributed System Security Symposium. Network & Distributed System Security Symposium (2020)

    Google Scholar 

  21. Li, L., Dong, Q., Liu, D., Zhu, L.: The application of fuzzing in web software security vulnerabilities test. In: 2013 International Conference on Information Technology and Applications, pp. 130–133. IEEE (2013)

    Google Scholar 

  22. Luo, Z., Wang, B., Tang, Y., Xie, W.: Semantic-based representation binary clone detection for cross-architectures in the internet of things. Appl. Sci. 9(16), 3283 (2019)

    Article  Google Scholar 

  23. Pellegrino, G., Johns, M., Koch, S., Backes, M., Rossow, C.: Deemon: detecting CSRF with dynamic analysis and property graphs. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1757–1771 (2017)

    Google Scholar 

  24. Son, S., Shmatikov, V.: Saferphp: finding semantic vulnerabilities in PHP applications. In: Proceedings of the ACM SIGPLAN 6th Workshop on Programming Languages and Analysis for Security, pp. 1–13 (2011)

    Google Scholar 

  25. Späth, C., Mainka, C., Mladenov, V., Schwenk, J.: Sok:\(\{\)XML\(\}\) parser vulnerabilities. In: 10th \(\{\)USENIX\(\}\) Workshop on Offensive Technologies (\(\{\)WOOT\(\}\) 16) (2016)

    Google Scholar 

  26. Späth, C., Schwenk, J.: Security implications of DTD attacks against a wide range of XML parsers. Master, Ruhr-University Bochum (2015)

    Google Scholar 

  27. Steuck, G.: XXE (XML external entity) attack. OWASP (October 2002)

    Google Scholar 

  28. Morgan, T.D., Ibrahim, O.A.: XML schema, DTD, and entity attacks. http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf. Accessed 19 May 2014

  29. Yunusov, T., Osipov, A.: XML out-of-band data retrieval. In: BlackHat EU 2013 (2013)

    Google Scholar 

  30. Wang, E., Wang, B., Xie, W., Wang, Z., Luo, Z., Yue, T.: EWVHunter: grey-box fuzzing with knowledge guide on embedded web front-ends. Appl. Sci. 10(11), 4015 (2020)

    Article  Google Scholar 

  31. Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. In: USENIX Security Symposium, vol. 15, pp. 179–192 (2006)

    Google Scholar 

Download references

Acknowledgements

We would like to thank the anonymous reviewers for their valuable comments and helpful suggestions.

Author information

Authors and Affiliations

  1. College of Computer, National University of Defense Technology, Changsha, 410073, China

    Zhenhua Wang, Wei Xie, Jing Tao, Yong Tang & Enze Wang

Authors
  1. Zhenhua Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Wei Xie
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jing Tao
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yong Tang
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Enze Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Wei Xie .

Editor information

Editors and Affiliations

  1. Télécom SudParis, Institut Polytechnique de Paris, Palaiseau, France

    Joaquin Garcia-Alfaro

  2. University of Kent Canterbury, Canterbury, Kent, UK

    Shujun Li

  3. University of Washington, Seattle, WA, USA

    Radha Poovendran

  4. Télécom SudParis, Institut Polytechnique de Paris, Palaiseau, France

    Hervé Debar

  5. Google Inc., New York, NY, USA

    Moti Yung

Rights and permissions

Reprints and permissions

Copyright information

© 2021 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Wang, Z., Xie, W., Tao, J., Tang, Y., Wang, E. (2021). XHunter: Understanding XXE Vulnerability via Automatic Analysis. In: Garcia-Alfaro, J., Li, S., Poovendran, R., Debar, H., Yung, M. (eds) Security and Privacy in Communication Networks. SecureComm 2021. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 399. Springer, Cham. https://doi.org/10.1007/978-3-030-90022-9_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-90022-9_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-90021-2

  • Online ISBN: 978-3-030-90022-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation