Replying to Avatar Alex Gleason

Can you explain the actual attack surface tho

Webfinger can sometimes be in XML format instead of JSON, and the server will parse it. But I don't see how the results could be rendered to the attacker.
Avatar
Matt Hamilton [Maryland] 2y ago

nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 nostr:npub108zt8c43ulvdwnax2txurhhr07wdprl0msf608udz9rvpd5l68ascvdkr5 XXE occurs when the XML parsing library evaluates external entities, often allowing referencing files on the local FS, though it's bad even if it only resolves remote resources (think, AWS metadata endpoints).

https://gist.github.com/Eriner/2118b0ec479c57f980e39d3763195266

In the XML above (sorry for gist, foiled by CF WAF), the external entity reads /etc/passwd and returns it in the response, replacing the evaluation with &xxe

Reply to this note

Please Login to reply.

Discussion

Avatar
Matt Hamilton [Maryland] 2y ago

nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 nostr:npub108zt8c43ulvdwnax2txurhhr07wdprl0msf608udz9rvpd5l68ascvdkr5 Exploitation is trickier if the response is blind, but sometimes still possible, dunno if that is the case here or not, but I assume it's not blind. But even if you can't read local files, SSRF via XXE is still dangerous (think, AWS metadata endpoints rather than file:/// uris).