From eb270d7e870b7f43f0b619d586534ce59a761c50 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Fri, 25 Jul 2025 18:32:48 +0000 Subject: [PATCH] =?UTF-8?q?Add=20content=20from:=20CVE-2025-27136=20?= =?UTF-8?q?=E2=80=93=20LocalS3=20CreateBucketConfiguration=20XXE=20Injec..?= =?UTF-8?q?.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../xxe-xee-xml-external-entity.md | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/src/pentesting-web/xxe-xee-xml-external-entity.md b/src/pentesting-web/xxe-xee-xml-external-entity.md index 12cbbe708..3cf80f0fb 100644 --- a/src/pentesting-web/xxe-xee-xml-external-entity.md +++ b/src/pentesting-web/xxe-xee-xml-external-entity.md @@ -832,8 +832,45 @@ Error : failed to load external entity "file:///aaa/FLAG{secret}" * Disable `load_dtd` and/or `resolve_entities` unless absolutely required. * Avoid returning raw parser errors to the client. +### Java DocumentBuilderFactory hardening example + +Java applications frequently parse XML using `DocumentBuilderFactory`. By default the factory **allows external entity resolution**, making it vulnerable to XXE and SSRF if no additional hardening flags are set: + +```java +DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); +DocumentBuilder builder = dbf.newDocumentBuilder(); // XXE-prone +``` + +Secure configuration example: + +```java +DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + +// Completely forbid any DOCTYPE declarations (best-effort defence) +dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + +// Disable expansion of external entities +dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); +dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + +// Enable "secure processing" which applies additional limits +dbf.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true); + +// Defensive extras +dbf.setXIncludeAware(false); +dbf.setExpandEntityReferences(false); + +DocumentBuilder builder = dbf.newDocumentBuilder(); +``` + +If the application must support DTDs internally, keep `disallow-doctype-decl` disabled but **always** leave the two `external-*-entities` features set to `false`. The combination prevents classical file-disclosure payloads (`file:///etc/passwd`) as well as network-based SSRF vectors (`http://169.254.169.254/…`, `jar:` protocol, etc.). + +Real-world case study: **CVE-2025-27136** in the Java S3 emulator *LocalS3* used the vulnerable constructor shown above. An unauthenticated attacker could supply a crafted XML body to the `CreateBucketConfiguration` endpoint and have the server embed local files (for example `/etc/passwd`) in the HTTP response. + ## References +- [OffSec Blog – CVE-2025-27136 LocalS3 XXE](https://www.offsec.com/blog/cve-2025-27136/) + - [https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf](https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf) - [https://web-in-security.blogspot.com/2016/03/xxe-cheat-sheet.html](https://web-in-security.blogspot.com/2016/03/xxe-cheat-sheet.html) - Extract info via HTTP using own external DTD: [https://ysx.me.uk/from-rss-to-xxe-feed-parsing-on-hootsuite/](https://ysx.me.uk/from-rss-to-xxe-feed-parsing-on-hootsuite/)