maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add content from: CVE-2025-27136 – LocalS3 CreateBucketConfiguration XXE Injec...

Browse Source
This commit is contained in:
HackTricks News Bot 2025-07-25 18:32:48 +00:00
parent d753b3ed2f
commit eb270d7e87
1 changed files with 37 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
src/pentesting-web/xxe-xee-xml-external-entity.md
View File

@ -832,8 +832,45 @@ Error : failed to load external entity "file:///aaa/FLAG{secret}"
* Disable `load_dtd` and/or `resolve_entities` unless absolutely required.
* Avoid returning raw parser errors to the client.
### Java DocumentBuilderFactory hardening example
Java applications frequently parse XML using `DocumentBuilderFactory`. By default the factory **allows external entity resolution**, making it vulnerable to XXE and SSRF if no additional hardening flags are set:
```java
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
DocumentBuilder builder = dbf.newDocumentBuilder(); // XXE-prone
```
Secure configuration example:
```java
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
// Completely forbid any DOCTYPE declarations (best-effort defence)
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
// Disable expansion of external entities
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
// Enable "secure processing" which applies additional limits
dbf.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true);
// Defensive extras
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);
DocumentBuilder builder = dbf.newDocumentBuilder();
```
If the application must support DTDs internally, keep `disallow-doctype-decl` disabled but **always** leave the two `external-*-entities` features set to `false`. The combination prevents classical file-disclosure payloads (`file:///etc/passwd`) as well as network-based SSRF vectors (`http://169.254.169.254/…`, `jar:` protocol, etc.).
Real-world case study: **CVE-2025-27136** in the Java S3 emulator *LocalS3* used the vulnerable constructor shown above. An unauthenticated attacker could supply a crafted XML body to the `CreateBucketConfiguration` endpoint and have the server embed local files (for example `/etc/passwd`) in the HTTP response.
## References
- [OffSec Blog CVE-2025-27136 LocalS3 XXE](https://www.offsec.com/blog/cve-2025-27136/)
- [https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf](https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf)
- [https://web-in-security.blogspot.com/2016/03/xxe-cheat-sheet.html](https://web-in-security.blogspot.com/2016/03/xxe-cheat-sheet.html)
- Extract info via HTTP using own external DTD: [https://ysx.me.uk/from-rss-to-xxe-feed-parsing-on-hootsuite/](https://ysx.me.uk/from-rss-to-xxe-feed-parsing-on-hootsuite/)