XXE
Last updated
Last updated
XML External Entities (XXE) is used to attack systems that parse XML input via file upload or other ways. The modified XML file would abuse SYSTEM entity and can be used to attack a Web application. Attacks include denial of service, local file disclosure, remote code execution, and more.
Extensive Markup Language (XML) is a language designed for desktop publishing, and now widely ued for data exchange. It is a markup language similar to HTML and derived from SGML which was based on IBM's GML back from 1960s. XML is typically used instead of HTML when data must be sent from one application to another (Data Interchange)
XXE flaws allow injection attacks. XML by default supports "external entities". Abuse of XXE flaw allows malicious profile to turn XML parser into a proxy, potentially serving local and remote content. (External entities vuln are similar to LFI/RFI). This can lead to RCE.
XXE Attack Type
Description
Exploiting XXE to Retrieve Files
Where an external entity is defined containing the contents of a file, and returned in the application's response.
Exploiting XXE to Perform SSRF Attacks
Where an external entity is defined based on a URL to a back-end system.
Exploiting Blind XXE Exfiltrate Data Out-of-Band
Where sensitive data is transmitted from the application server to a system that the attacker controls.
Exploiting blind XXE to Retrieve Data Via Error Messages
Where the attacker can trigger a parsing error message containing sensitive data.
SSRF is related to CSRF. CSRF: Forged request originating from a client. SSRF: Forged request originating from a server
Having access to server side scripts. Below is the vulnerable server side php script that is working on /book.php site, which if you look at HTML source you will not find the code.
Because above php page, has XML entry for author, title, and publish_date.
PoC 1- Testing payload (xxe.xml)
PoC 2 (LFI) - Display Local File (xxe2.xml)
PoC 3 (RFI) - Access URL (xxe3.xml)
PoC 4 (RCE) - Remote Code Execution via php (xxe4.xml)
Sample payload
Good Resource for payloads: https://github.com/payloadbox/xxe-injection-payload-list
OWASP XML Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
OWASP's XML External Entity (XXE) Processing: https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
Blind XXE: https://portswigger.net/web-security/xxe/blind
Exploiting XXE with local DTD files: https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/
From blind XXE to root-level file read acces: https://honoki.net/2018/12/12/from-blind-xxe-to-root-level-file-read-access/