XML External Entity Injection (XXE)

In this chapter, we are going to learn about XML external entity injection (or also called XXE).

Type of vulnerability: Server-Side

Chances to find: Common; XXE is part of “Security Misconfiguration” ranked #5 in the “OWASP Top-10 Vulnerabilities

TL;DR: An XXE vulnerability enables an attacker to request an external entity (not belonging to the target) from the target machine by sending maliciously crafted XML payloads.

What is XXE?

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts. (src: OWASP)

Let’s have a look at an example. You are logging in to your local sport club’s app and you want to book a tennis court for 2 hours.

 An example HTTP request could look like this:

POST /sport/tennis/booking HTTP/1.1
Host: example.com
Content-Type: application/xml
Content-Length: 123

<?xml version="1.0" encoding="UTF-8"?>
  <day>
    2021-01-01
  </day>
  <time>
    16
  </time>
  <hours>
    2
  </hours>

An attacker could now try to exploit the application by including an XML DTD (or document type definition).

Let’s see how that looks like in practice:

POST /sport/tennis/booking HTTP/1.1
Host: example.com
Content-Type: application/xml
Content-Length: 190

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE stealfiles [ <!ENTITY steal SYSTEM "file:///etc/passwd"> ]>
  <day>
    &steal;
  </day>
  <time>
    16
  </time>
  <hours>
    2
  </hours>

We see that the attacker is creating an XML DTD called “stealfiles” that is including an external entity called “steal” (the selected names don’t matter). As soon as the application processes this external entity, it will read the “passwd” file on the local server and include it in the server response.

The impact of XXE!

While we have already learned about a potential impact of XXE in the previous example, this is not the only one. Generally speaking, there are these possible impacts that can be exploited by an attacker:

  • Local file inclusion: Returning the content of local files in the response by using “file://”

  • Server-side request forgery: Returning the content of HTTP responses from requests queried from the vulnerable machine using “https://&#8221; or “http://&#8221;.

  • Blind SSRF: If the response is not directly returned, it could be sent to an attacker controlled web server by wrapping one external entity into another

  • Information disclosure: Purposely misconstructed payloads could lead to a leakage of interesting data

  • Denial-of-service: Certain XML parsers do have known vulnerabilities that bring down the system when reading a manipulated XML document

Here are some public write-ups of XXE vulnerabilities exploited in the wild:

How to prevent XXE?

Fortunately, XXE vulnerabilities can be resolved rather simply. The main hardening approach is to disable usage of external entities and support for XInclude.

Most modern web application backend have switched from using XML to using JSON, which does not come with that vulnerability per design.

Find out more information about XXE prevention in OWASP’s XXE prevention cheat sheet.

Additional resources:

Let’s have a look at a video example of an XXE vulnerability:

Let’s have a look at a more sophisticated attack, where we are using an SVG file to exploit the application:

And one more, where we are going to see how we can chain an XXE with an SSRF vulnerability!

This video by PwnFunction gives a very good visual explanation of XXE:

Following links are valuable to learn more about XXE: