In this article I’ll explain about XML external extity (XXE) injection.
This is similar to SQL and HTML injection and XSS.This vulnerability been featured in the OSWAP Top 10 list in 2017 for the first time and immediately made it to the number 4 spot.
Disclaimer:- This article is only for educational purpose. I am not responsible for any illegal attack.This is only information for growth your knowledge and anyway you are smart.
What is XML external entity injection?
XML external entity(XXE) injection is a web security vulnerability that allows an attacker to interfere with an application’s processing of XML data. Using XXE, an attacker is able to cause Denial of Service (DoS) as well as access local and remote content and services and to interact with any back-end or external systems that the application itself can access.
This vulnerability used to perform Server Side Request Forgery(SSRF).
Is that the XEE (XML Eternal Entity Injection) vulnerability can be activated when certain endpoints that accept XML as input are detected. But often, you may find cases where the endpoints that accept XML may not be so evident (for example, those cases where the client uses only JSON to access the service). In these situations, a pen tester must try various things to see how the application reacts, such as changing the HTTP methods, Content-Type, etc. If the content is parsed by the application, then there is a scope for XXE.
Most Common XXE Injection Attacks
- Local File Hijack from Server
the attacker sends the malformed XML payload in the request, the server processes this payload and sends back a response with sensitive information, such as local files of the server, application configuration files, internal network details and so on.
In few cases upon submitting the HTTP request with the crafted XXE payload, the server responded with the /etc/passwd/ of the server.
However, in many cases, the server may not send back a response. The other way an attacker can exploit this is by including the URL (attacker-controlled server) in the XXE payload. When the server parses the payload, it makes an additional call to the attacker-controlled server, thereby an attacker listens to the victim’s server and captures information such as local files, server configuration files, and other server details.
- Access Server files through a File Upload feature
Many applications support a “File Upload” functionality (XLSX, DOCX, PPTX, SVG or any XML MIME type formats) for further processing. Usually, these files have an XML MIME type. An attacker could take advantage of the inherent XML type and upload malicious files embedded with XXE payloads. When the server parses the file, the file containing XXE payload gets executed, resulting in the disclosure of sensitive information of a server on the client side.
Note that the libraries that parse XML on one part of the site (e.g. API) may not be the same as libraries that parse uploaded files.
- DOS attack with Recursive Entity Expansion
This attack is also called as the Billion Laugh attack, the XML Bomb or a Recursive Entity Expansion attack. This attack occurs when the parser continually expands each entity within itself, which overloads the server and results in bringing down the server.
XXE is not a new vulnerability but rather an existing one that has gained more notoriety in recent applications. A successful XXE injection attack could result in massive damages on both security and business functionality fronts.
EXPLOITING XXE TO RETRIEVE FILES
There are two ways:
- #Enter (or edit) a DOCTYPE element that specifies an external entity that contains the file path.
- #To make use of the defined external entity, edit the data value in the XML returned in the application’s response.
Examples of XXE Attacks
- Accessing a local resource that may not return
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///dev/random" >]> <foo>&xxe;</foo>
If fortune is on our side, and the PHP “expect” module is loaded, we can get RCE. Let’s modify the payload
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [<!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "expect://id" >]> <creds> <user>`&xxe;`</user> <pass>`mypass`</pass> </creds>
How to Prevent XXE injection Attacks?
XXE vulnerability occur because the XML parsing library of the application supports potentially dangerous XML features that the application does not require to use.
The easiest method to prevent against the attacks it to permanently disable the Document Type Definitions (DTDs), if this is not require.And turn off entity expansion in XML.Check the the version of XML libraries IF they are vulnerable to XXE attack.