HTTP External Entity References
22 views
Skip to first unread message
Justin Angel
Oct 21, 2016, 2:03:35 PM10/21/16
to nokogiri-talk
Hello all,
I am a security researcher and penetration tester investigating an XML entity injection vulnerability derived from an authorized penetration test. As a Ruby guy, I am exploring exploitation techniques using Nokogiri.
My problem is that I can't seem to dereference external entities using the HTTP protocol.
I'm fairly certain that the appropriate options are set with ParseOptions. I'll leave an inspection of the object along with the stack trace below. The script producing this error has been attached as well.
ParseOptions inspection:
#<Nokogiri::XML::ParseOptions:0x000000015f02c0 @options=30 strict, noent, dtdload, dtdattr, dtdvalid>
Trace:
/usr/lib/ruby/vendor_ruby/nokogiri/xml/document.rb:61:in `read_memory': Entity 'pth' not defined (Nokogiri::XML::SyntaxError)
from /usr/lib/ruby/vendor_ruby/nokogiri/xml/document.rb:61:in `parse'
from /usr/lib/ruby/vendor_ruby/nokogiri/xml.rb:34:in `XML'
from /home/archangel/Desktop/xml.rb:35:in `<main>'
Any help would be greatly appreciated!
I am a security researcher and penetration tester investigating an XML entity injection vulnerability derived from an authorized penetration test. As a Ruby guy, I am exploring exploitation techniques using Nokogiri.
My problem is that I can't seem to dereference external entities using the HTTP protocol.
I'm fairly certain that the appropriate options are set with ParseOptions. I'll leave an inspection of the object along with the stack trace below. The script producing this error has been attached as well.
ParseOptions inspection:
#<Nokogiri::XML::ParseOptions:0x000000015f02c0 @options=30 strict, noent, dtdload, dtdattr, dtdvalid>
Trace:
/usr/lib/ruby/vendor_ruby/nokogiri/xml/document.rb:61:in `read_memory': Entity 'pth' not defined (Nokogiri::XML::SyntaxError)
from /usr/lib/ruby/vendor_ruby/nokogiri/xml/document.rb:61:in `parse'
from /usr/lib/ruby/vendor_ruby/nokogiri/xml.rb:34:in `XML'
from /home/archangel/Desktop/xml.rb:35:in `<main>'
Any help would be greatly appreciated!
Mike Dalessio
Oct 21, 2016, 2:43:53 PM10/21/16
to nokogiri-talk
Hi,
Thanks for asking this question. There are a bunch of options you're setting, and they're combining in a nonobvious way here.
Notably, you're using `strict`, which tells Nokogiri to raise an exception when a syntax error is encountered, rather than continuing parsing and logging it in the `#errors` attribute.
If you don't set `strict` (or, equivalently, set `recover`) you'll actually see the following errors:
```
puts doc.errors
# => Attempt to load network entity http://127.0.0.1/test?&passwd;
# Failure to process entity pth0
# Entity 'pth0' not defined
```
which actually tells you what's going on when you set the other options -- it's trying and failing to resolve a network URI.
Make sense so far?
OK, so the default behavior for Nokogiri (probably for exactly the reasons you're investigating) is to NOT allow network connections. If you want to make an outbound connection, you'll have to set `nononet`. I'm able to hit a local system network URI if I set that option.
Make sense?
--
You received this message because you are subscribed to the Google Groups "nokogiri-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nokogiri-talk+unsubscribe@googlegroups.com.
To post to this group, send email to nokogi...@googlegroups.com.
Visit this group at https://groups.google.com/group/nokogiri-talk.
For more options, visit https://groups.google.com/d/optout.
Justin Angel
Mar 21, 2017, 11:38:30 AM3/21/17
to nokogiri-talk
Hi Mike,
Apologies for my late response. I didn't realize that I had email alerts disabled until just a moment ago, only seven months behind! Your direction helped me to resolve the problem.
To unsubscribe from this group and stop receiving emails from it, send an email to nokogiri-tal...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages