XML External Entity (XXE) Attack

Hello Friends!

This is my 32nd blog on web application security penetration testing. In this blog I will explain about XXE Attack.

In my last blog, I have explained about Blind Cross Site Scripting. Hope everyone liked it. If you haven’t read it yet please follow along.

What is XML?

Modern forms represents data either in HTML, XML or XHTML forms. XML stands for extensive markup language which defines set of rules for encoding data in format that can be readable for both human and machine.

XML has some known advantages which makes it a universal and secure language. These advantages include the ability to store data independent of whether a system is software or hardware.

Another advantage of XML is its ability to present and make data available to devices such as smartphones and digital telephone booths because it is light weight in nature.

XML File Document Structure:

The Extensible Markup Language (XML) 1.0 fifth edition, which is a W3C recommendation, states each XML document has a physical and a logical structure.

  • Physical structure: The physical structure of the document is made up of storage units called entities. Each entity has a name, content and may refer to other entities to cause their inclusion in the document.
  • Logical structure: The logical structure of the document is made up of comments, elements, declaration and processing instruction.

XML File Declaration:

Mostly, if used, the first line of an XML file is the declaration. This identifies the document as being XML and allows it to be parsed by the processor — a software module used to read the XML document.

XML Declaration Syntax

The syntax is: <? xml version=”1.0″ encoding=” ISO-10646-UCS-4 ” standalone=”no” ?>

Version 1.0 fifth edition is W3C recommendation.

Understanding XML Declaration File Parts:

What Is a Document Type Declaration (DTD)?

The document type declaration immediately follows an XML declaration. It checks the validity of the structure of XML documents against some predefined rules of an XML language. It also provides the location of the DTD. The declaration is known as internal when the backbone of an XML document is declared within the XML files and external when the same backbone is declared outside the XML files

What is XXE Attack?

XML External Entity/XML Injection Attack:

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery from the perspective of the machine where the parser is located, and other system impacts.

Following piece of code access several sensitive files from server as well as Remote Code Execution from malicious domain.

How to Test for XXE?

● Attempt to inject XML or reserved characters into input parameters and observe if XML parsing errors are generated.

● For web services, check each input parameter specified in the WSDL document for those of type XML.

● Use intruder to inject xml payloads to fetch system configuration files

● If server allowing uploading xml file then you can upload xml file with xml payload and try to access this xml file to test XXE.

● Find the application endpoints (api’s, services which returns SOAP messages, etc.) where application parsing user supplied input into xml form using burp suit. If it is then modify xml body to access sensitive files from server.

https://hackerone.com/reports/248668 Best Reference

● In short, Notice all those URL’s which is interacting with third party API’s and services either through GET or POST request and returns data in SOAP/XML format. Modify XML DTD to access sensitive files from server or to perform remote code execution through malicious domain.

Below is the Step by Step POC for XXE Attack which leads to Local File Inclusion:

In the below request, I have included a payload to perform attack on the XML parser (webserver), and it reverts the content of hosts file.

Below request reverts the content of passwd file.

Impact:

· Accessing system files (LFI)

· Accessing malicious file from attacker domain(SSRF)

· disclosure of confidential data

· Denial of service attack.

· Port scanning from server which parses xml input data

Prevention:

Whenever possible, use less complex data formats such as JSON, and avoiding serialization of sensitive data.

Patch or upgrade all XML processors and libraries in use by the application or on the underlying operating system. Use dependency checkers. Update SOAP to SOAP 1.2 or higher.

Disable XML external entity and DTD processing in all XML parsers in the application, as per the OWASP Cheat Sheet ‘XXE Prevention’.

Implement positive (“whitelisting”) server-side input validation, filtering, or sanitization to prevent hostile data within XML documents, headers, or nodes.

Verify that XML or XSL file upload functionality validates incoming XML using XSD validation or similar.

Reference:

OWASP XML External Entity Prevention

https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet

I hope readers will like this blog. I have given explanation on all the basic concepts required to understand XXE attack.

Please do like and follow for more reads!

Thank!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store