XXE(XML External Entity)Injection

Before we dive into the topic of XXE Injection, let us first understand the concept of
XML.

XML (Extensible Markup Language) is a markup language used to store and transport
data in a structured format. It provides a way to define custom tags that describe the
data, making it easy to exchange data between different systems.

In XML, data is stored in elements, which are enclosed in tags. Each element can have
attributes that provide additional information about the element.

Here is an example of an XML document that stores information about a book:

<?xml version="1.0" encoding="UTF-8"?>

<bookstore>

<book category="programming">

<title>Java Programming</title>

<author>John Doe</author>

<year>2021</year>

</book>
<book category="web development">

<title>HTML & CSS Basics</title>

<author>Jane Smith</author>

<year>2020</year>

</book>

</bookstore>

In this example, the XML document defines a bookstore that contains two books. Each
book is represented as an XML element that contains sub-elements for the book's title,
author, and year of publication. The category attribute provides additional information
about the book's category.

What is XXE Injection?

XXE (XML External Entity) Injection is a type of vulnerability that occurs when an
attacker injects a malicious XML file into an application that processes XML input.
This can allow the attacker to read sensitive information, execute remote code, or
perform a denial-of-service attack.

The vulnerability arises when the application accepts XML input from an untrusted
source and then includes it in a server-side XML document without proper validation.
Attackers can craft malicious XML payloads containing references to external entities
that the server resolves when processing the XML document.

XML requires a parser, which is typically where vulnerabilities occur. XXE enables an
entity to be defined based on the content of a file path or URL. When the XML attack
payload is read by the server, the external entity is parsed, merged into the final
document, and returned to the user with the sensitive data inside.
XXE attacks can result in port scanning within the internal network, server-side request
forgery (SSRF), data exfiltration, use of an organization’s servers to perform denial of
service (DoS), and more

For example, consider a web application that allows users to upload and view XML
files. An attacker can upload a malicious XML file that contains an external entity
reference to a file on the server's file system. When the server processes the XML file,
it will try to resolve the external entity, which can result in the disclosure of sensitive
information such as passwords, or execute arbitrary code on the server.

Here is an example of a malicious XML payload that could be used in an XXE attack:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE root [

<!ELEMENT root ANY>

<!ENTITY xxe SYSTEM "file:///etc/passwd">

]>

<root>&xxe;</root>

In this example, the payload defines an external entity "xxe" that references the file
"/etc/passwd" on the server's file system. When the server processes the XML
document, it resolves the entity reference and includes the contents of the file in the
server's response. This can result in the attacker obtaining sensitive information such
as user credentials.
Types of XXE Attacks

1. Billion Laughs Attack

This type of attack uses a maliciously constructed XML document that contains
nested entity references to cause a buffer overflow and denial of service attack.

Consider a web application that accepts XML input and outputs the result. A
request would look like this:

POST http://example.com/xml HTTP/1.1

<mytype>

Request Hello and welcome to my website!

</mytype>

HTTP/1.0 200 OK

Response

Hello and welcome to my website!

XML documents can have a specific type, which can be defined using two
standards – XSD and DTD. XML documents defined using a DTD are vulnerable to
XXE attacks.

See the following example, which uses a DTD called mytype. This DTD defines an
XML entity called name. When this element is called in the HTML output, the XML
parser reads the DTD and replaces it with a value.
 POST http://example.com/xml HTTP/1.1

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE mytype [

<!ELEMENT mytype ANY>

Request <!ENTITY name "John">

]>

<mytype>

Hello &name; and welcome to my website!

</mytype>

HTTP/1.0 200 OK

Response
Hello John and welcome to my website!

Now let’s see how an attacker can carry the so-called “billion laughs attack”. If the
XML parser does not limit the amount of memory it can use, this attack uses a
recursive technique to overload its memory.

POST http://example.com/xml HTTP/1.1

<?xml version="1.0" encoding="ISO-8859-1"?>

Request <!DOCTYPE mytype [

 <!ELEMENT mytype ANY> <!ENTITY name "John "> <!ENTITY
name2 "&name;&name;">

<!ENTITY name3 "&name2;&name2;&name2;&name2;">

<!ENTITY name4 "&name3;&name3;&name3;&name3;">]>

<foo>

Hello &t3;

</foo>
HTTP/1.0 200 OK

Hello John John John John John John John John John John John
John John John John John John John John John John John John
Response
John John John John John John John John John John John John
John John John John John John John John

In essence, this is a type of denial of service (DoS) attack that can deny access to
an application relying on an XML parser.

2. XXE SSRF Attack

This type of attack allows an attacker to send requests to internal network

resources from the context of the target system, potentially allowing access to
sensitive information or functionality.

POST http://example.com/xml HTTP/1.1

<?xml version="1.0" encoding="ISO-8859-1"?>

Request <!DOCTYPE mytype [

<!ELEMENT mytype ANY>

 <!ENTITY malicious SYSTEM "file:///etc/hosts">

]>

<foo>

&xxe;

</foo>`
HTTP/1.0 200 OK

IPAddress Hostname Alias

Response 127.0.0.1 localhost web.mydomain.com

208.164.186.1 web.mydomain.com web

208.164.186.2 mail.openna.com mail

(...)

This attack can be extended to gain access to other files on the server, beyond
system files. Some XML parsers make it possible to retrieve directory listings and
use them to find other sensitive data on the machine.

3. XXE Exploit to Retrieve Files

An XXE attack can retrieve an arbitrary file from the target server’s filesystem by
modifying the submitted XML. The attacker introduces a DOCTYPE element
defining an external entity that contains a path to the file. The attacker then edits
the XML data value in the response.

4. Blind XXE Exploit to Exfiltrate Data

XXE vulnerabilities are often blind, meaning that the application doesn’t return any
values of external entities. Attackers cannot directly retrieve server-side files but
can still detect and exploit blind XXE vulnerabilities with advanced methods like
 out-of-band data exfiltration or triggering an XML parsing error to
disclose sensitive information.

5. Blind XXE Vulnerability

A blind XXE vulnerability means that the application does process external XML
entities in an insecure way, but does not return those entities in its responses. This
means attackers will need to use advanced techniques to detect the vulnerability
and exploit it.

Attackers can still exfiltrate data using blind XXE, for example by causing the server
to connect to a URL controlled by the attacker.

Impact of XXE Vulnerability

The impact of XXE vulnerability can be severe and may include:

1. Information Disclosure:

Attackers can exploit XXE vulnerabilities to disclose sensitive data such as

passwords, credit card details, and other personally identifiable information.

2. Denial of Service:

Attackers can send malicious XML documents containing an excessive number

of entities, causing the server to consume a significant amount of resources and
eventually crashing the system.

3. Remote Code Execution:

Attackers can inject malicious code into an XML document, which can be
executed by the server, leading to complete control over the affected system.
 4. Server-Side Request Forgery:

Attackers can use the XXE vulnerability to send requests to internal systems that
are not directly accessible from the Internet, bypassing firewalls and other
security measures.

5. System Compromise:

XXE vulnerabilities can be used as a stepping stone for attackers to gain access
to other systems and escalate their privileges, leading to a complete
compromise of the affected system.

How to Prevent XXE Vulnerabilities:

Here are some ways to prevent XXE vulnerabilities:

 Input validation: Filter user input to ensure that it does not contain any XML or
other markup language that may be used to inject external entities into a server-side
XML document.
 Disable XML external entity and DTD processing: By default, many XML parsers
will process external entities and DTDs. Disabling this feature can prevent XXE
attacks.
 Use a secure XML parser: Choose an XML parser that is actively maintained and
has a track record of security.
 Use whitelisting: Rather than attempting to filter out malicious input, only allow
known-safe input.
 Use parameterized queries: When communicating with a back-end database, use
parameterized queries to prevent SQL injection attacks, which can be used in
conjunction with XXE attacks.
 Keep software up to date: Patches and updates often include security fixes, so
keeping software up to date can help prevent XXE vulnerabilities.
 Limit file system access: Minimize the access that the server has to the file system,
and avoid using file names or paths that can be specified by users.
REFERENCE

https://portswigger.net/web-security/xxe

https://www.hackerone.com/knowledge-center/xxe-complete-guide-impact-
examples-and-prevention

https://brightsec.com/blog/xxe-attack/#types_xxe_attacks

https://www.imperva.com/learn/application-security/xxe-xml-external-entity/

https://www.invicti.com/learn/xml-external-entity-xxe/

https://www.cobalt.io/blog/how-to-execute-an-xml-external-entity-injection-xxe

https://brightsec.com/blog/xxe-vulnerability/#attack_types