XML External Entity Injection (XXE) – Part 1
This is the first post of our XXE series. In this post, we are going to know about XML External Entity Injection vulnerability.
What is XML?
XML is an abbreviation of “Extensible Markup Language”. It is a markup language like HTML(HyperText Markup Language), which is used to store and transport the data. It does not have any predefined tags, which means we have to define our tags to use them within our XML document. XML does not know how to display data, unlike HTML(HyperText Markup Language) which is responsible for displaying the data. It is just used to transport data from client to server.
What is DTD?
DTD stands for Document Type Definition. It simply defines the structure of an XML document, which types of data values it can contain, and other items. It is defined within a DOCTYPE element at the start of the document.
What is DTD What is XML Entity?
XML Entities are the method of representing an item of data within an XML document. For example, < and > represents the characters < and >. Mainly it is a shortcut method of representing characters. Entities can be two types Internal entities and External entities.
Syntax : <!ENTITY entity-name "entity-value">
What is XXE Injection attack?
XML External Entity injection is a web application vulnerability, that allows an attacker to modify the XML data which is transferring to a server from the client. By modifying the XML data attacker can view files on the application’s filesystem and can also interact with other backend services, as well as external services that the application has access to. This attack can also be further escalated to SSRF we will talk about it in our upcoming posts of this XXE series.
How does XXE arise?
Web applications that use XML to transport data between client and server, always use standard libraries or API to process the XML data on the server. XML has various dangerous features and the standard libraries support these features even if they are not used by the web application.
How does XXE arise?
1. User can input data.
2. Web applications use XML to transfer data to the server.
3. When receiving an XML input from a user, the XML parser parses and interprets external references in entities.
Types of XXE attack
1. Exploiting XXE to Retrieve Files
By exploiting this, an attacker can retrieve files from the server’s filesystem. To perform this type of XXE attack we need to modify the submitted XML as follows:
* Introduce or edit the DOCTYPE element. This new element contains the file path.
* To utilize the specified external entity, the attacker edits the XML data value in the response received from the application.
See the given example for better understanding:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///home/xenial/Documents/creds.txt" >]
2. Exploiting XXE to Perform SSRF Attacks
It is also possible to escalate XML External Entity attack into Server Side Request Forgery to make unwanted HTTP requests to a URL selected by an attacker. To perform this attacker needs to do these steps:
* First create an external entity with the target URL.
*Use this entity within the data value
* If you get the selected value in the response, it means it is a two-way interaction with the server.
* If you are not getting the selected value in the response, It is still possible to perform a blind Server Side Request Forgery attack.
See the below example :
<!DOCTYPE foo [ <!ENTITY example-entity SYSTEM
3. Blind XXE Vulnerability
Blind XML External Entity vulnerability means that the application processes XML external entity in an unsecured way but it does not return those entities in response. It needs more advanced techniques to detect and exploit.
4. Retrieving sensitive data via error messages
This type of XML External Entity attack is mainly based on error messages, which are sent by an application if we provide the wrong XML. Sometimes application leaks sensitive information.
We can prevent XXE attacks by disabling those dangerous features which XML standard libraries support by default. It is the simple and easiest way to prevent XXE attacks.
In our upcoming posts of this XXE series, we will learn how to find and exploit different types of XXE vulnerabilities.
XML External Entity Injection (XXE) – Part 2