XXE Attacks

What is XML

XML => Extensible markup language

  • Basically used for storing and transporting data btw the application and the server.

  • Like HTML, XML also uses tree like structures of tags and data, but XML does not use predefined tags.

What are XML entities

XML entities are a way of representing an item of data within an XML document, instead of using the data itself.

For example : &lt; and &gt; are < and > respectively in XML format.

What is a DTD

Document Type Definition contains the declarations that can define the structure of an XML document.

  • The DTD is declared within the DOCTYPE element at the start of the XML document.

XML allows custom entities to be defined within the DTD, For example :

<!DOCTYPE d0p [ <!ENTITY myentity "my entity value"> ]>

This means that any usage of the myentity in the XML format, is replaced by my enitity value.

External Entities

XML external entities are a type of custom entity whose definition is located outside the DTD where they are declared.

The declaration uses a keyword called SYSTEM, and must specify a URL from which the value of the entity should be loaded.

<!DOCTYPE d0p [<!ENTITY ext SYSTEM "https://d0pt3x.gitbook.io"> ]>

We can even use the file:// protocol, so that the external entities can load them from a file.

<!DOCTYPE d0p [<!ENTITY ext SYSTEM"file:///etc/passwd"> ]>

Now what is an XXE Injection

XXE => XML external entity injection

  • It is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data.

  • It often allows an attacker to view files on the application server filesystem, and to interact with the back-end.

Sometimes an attacker can chain both, the XXE attack and a SSRF to get hold of the backend server.

How do they arise

  • Some applications use the XML format to exchange data between the browser and the server.

  • So the application always uses a standard library or an API to process the XML data on the server.

XXE arises because the XML format contains various dangerous features and standard parsers to interpret the format, EVEN THO THEY ARE NOT USED BY THE APPLICATION.

Note

XML external entities are the custom entites whose values are loaded outside from the DTD.

  • Which means they can be vulnerable from a security perspective, because they allow something to load outside the DTD or load the contents of a file based on the path.

Types of XXE Attacks

  1. Exploiting XXE to retrieve files

Where an external entity is defined conatining the contents of the file and retuned in the application response

  1. Exploiting XXE to perform SSRF attacks

Where an external entity is defined based on a URL to a backend system

  1. Exploiting Blind XXE to exfiltrate data

An out-of-band approach, where sensitive data is transmitted from the application server to a system that the attacker controls

  1. Exploiting Blind XXE to retrieve data via error messages

Where the attacker can trigger a parsing error message containing sensitive data

PreviousExploitationNextXXE to LFI

Last updated