Decoding XML Vulnerabilities: From Basics to Exploits in XML External Entities

Vulnerabilities within XML parsing can act as the exploitation point for many systems. Combined, they can lead to severe consequences…

Vulnerabilities within XML parsing can act as the exploitation point for many systems. Combined, they can lead to severe consequences, including data leaks, SSRF, service disruptions, and even remote command or code execution.

Introduction to XML

This post aims to explain the syntax and concepts of XML entities, which could be used as potential cyber attack vectors if not understood completely.

XML combines markup and content, using tags as its primary form of markup to structure and validate data during document processing. While it may resemble HTML, XML allows for custom tag definitions, making it more flexible. This is demonstrated in the example provided with the custom ‘contact’ tag and its sub-elements. To ensure adherence to specific rules or structures, XML uses Document Type Definitions (DTDs) and Schemas. As a security researcher, I find DTDs particularly interesting due to the entities they introduce.

Understanding XML Entities for Security

Entities in XML act like placeholders, defined once and used multiple times, similar to variables in coding. They are declared using DTDs, generally at an XML document’s inception. Let’s delve deeper into these entities, considering their security implications:

  1. Internal Entities: These are defined within the DTD itself. Their declaration is straightforward but can be vulnerable to attacks if improperly managed.
    <!DOCTYPE root [ <!ENTITY example “This is an internal entity”> ]> <root>&example;</root>
  2. External Entities: These entities reach out to external data sources. There’s a distinction between private (SYSTEM) and public (PUBLIC) entities. From a security standpoint, the remote referencing nature of external entities can lead to potential risks like XML External Entity (XXE) attacks.
  3. Parameter Entities: Exclusive to DTDs, these entities aid in structuring the DTD but can be misused if not correctly implemented.
    <!DOCTYPE root [
    <!ENTITY % paramEntity “ENTITY example ‘This is a parameter entity’”>
    %paramEntity;
    ]>
    <root>&example;</root>

What is XXE!!!

The XML External Entity (XXE) attack leverages the XML feature that allows for the definition of entities to represent external content. When exploited, this can lead to various malicious scenarios, such as:

  1. Disclosure of internal files: By referencing internal files, the attacker can access sensitive information, like configuration files or source code.
  2. Server-Side Request Forgery (SSRF): Attackers can force the XML parser to make outbound requests to internal systems, potentially exposing internal network layouts or facilitating other attacks.
  3. Denial-of-Service (DoS): By referencing entities within entities, attackers can force the parser to process exponentially growing data, which might cause resource exhaustion.
  4. Remote Code Execution: In some scenarios, when combined with other vulnerabilities, XXE might be leveraged to execute arbitrary commands on the targeted server.

Testing for XXE

  1. Turn on Burp and Spider on the website manually or automatically.
  2. Find an endpoint that sends XML.
    2.1 search in burp for <?XML
    2.2 get all the requests in the repeater
  3. Send the below payload to test [1]:
    <?xml version=”1.0" encoding=”UTF-8"?>
    <!DOCTYPE foo [<!ENTITY toreplace “3”> ]>
    <stockCheck>
    <productId>&toreplace;</productId>
    <storeId>1</storeId>
    </stockCheck>
  4. if it parses and replaces with “3”. Then the XXE is successful.
  5. if not, send the request to intruder and test for all the payloads in here (link).

Exploitation [2]

Below are the types of XXE payload.

  • Denial of Service
  • File disclosure
  • SSRF
  • Retrieve Data Via Error Messages

Tools

  1. https://github.com/luisfontes19/xxexploiter
  2. https://github.com/kljunowsky/XXElixir
  3. https://github.com/GoSecure/dtd-finder

I have such a small request for all of you, I always write articles on many security topics. So if you didn’t follow, then follow me first and clap on this article, because that gives me the motivation to write something new !!

If you do not follow me on my social, here is my Twitter and LinkedIn.

☛ My-Twitter
My-Linkedin


Reference:

  1. https://book.hacktricks.xyz/pentesting-web/xxe-xee-xml-external-entity
  2. https://hackersonlineclub.com/xml-external-entity-xxe-injection-payload-cheatsheet/