XML External Entity (XXE) Injection

Culprit: The endpoints application responsible for processing XML data. Reason: The application must have restriction in place when processing XML data, else XML Entities can be used for malicious purposes and lead to threats from LFI to RCE or SSRF attacks deeper into the infrastructure. In other words, standard parsers implementation (lib/apis) for processing XML support dangerous XML features.

XML

Extensive Markup Language
Tree-like structure of tags and data
No predefined tags
X in AJAX

XML Entities

Consider the html code the below: &nbsp and < > are html entities. These entities have specific definitions and get replaced by then during the processing of the html document. In the same way, xml document consists of set of storage units called Entities.
In XML they serve the purpose of embedding blocks of text/docs/files into XML document.

Types of Entities: https://docs.microsoft.com/en-us/dotnet/standard/data/xml/reading-entity-declarations-and-entity-references-into-the-dom

Internal : Definition entirely found within document's DTD
External : Definition can be found outside document's DTD
Parameter : first thing the xml processor encounters when parsing a document. It is also referred to as the document root, and it provides programmatic access to the rest of the document. The reason the document entity is important is that, at the end of the day, it's the only thing the xml specifications requires an xml parser to read.

DTD (Document Type Definition)

Contains declarations defining the tree structure of xml document.

DTD is declared within the optional DOCTYPE element at the start of the XML document.

There are 2 data types, PCDATA and CDATA

PCDATA is parsed character data.
CDATA is character data, not usually parsed.

// Basic Usage of XML
<?xml version="1.0"?>
<!DOCTYPE address [
<!ELEMENT address (name, email, phone, birthday)>
<!ELEMENT name (first, last)>
<!ELEMENT first (#PCDATA)>
<!ELEMENT last (#PCDATA)>
<!ELEMENT email (#PCDATA)>
<!ELEMENT phone (#PCDATA)>
<!ELEMENT birthday (year, month, day)>
<!ELEMENT year (#PCDATA)>
<!ELEMENT month (#PCDATA)>
<!ELEMENT day (#PCDATA)>
]>
  
<address>
    <name>
        <first>Rohit</first>
        <last>Sharma</last>
    </name>
    <email>[email protected]</email>
    <phone>9876543210</phone>
    <birthday>
        <year>1987</year>
        <month>June</month>
        <day>23</day>
    </birthday>
</address>

Custom Entities in DTD (Example #1 internal)

<!DOCTYPE foo [ <!ENTITY myentity "my entity value" > ]>

&myentity; within the XML document will be replaced with the defined value: "my entity value".

External - define outside of DTD - Actual cause of XXE

<!DOCTYPE foo [ <!ENTITY ext SYSTEM "http://normal-website.com" > ]>the SYSTEM keyword and must specify a URL from which the value of the entity should be loaded. For example:

file:// protocol, and so external entities can be loaded from file. For example:

<!DOCTYPE foo [ <!ENTITY ext SYSTEM "file:///path/to/file" > ]>

PreviousPage 1 NextXXE Attacks

Last updated 3 years ago

Was this helpful?