XXE Injection | Notion

XML - a markup language, like HTML and MD. Its a markup language that provides rules to define any data.

XXE - a type of attack against an application that parses XML input. attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.

External Entity Injection (XXE), interfere with the application’s processing of XML data. to view files on the server, interact with systems that the application interacts with, or SSRF

Some applications use XML format to transfer data, the ones that do this use a library or a platform API to process that data.

It arises because, XML specification contains many potentially dangerous features, and standard parsers support these features even if they are not normally used by the application.

XML is a type definition language, it contains definitions that would define the the structure of the XML document. The definition cane be declared within DOCTYPE . It can be fully within the document(internal DTD) or can be loaded from elsewhere (external DTD) or hybrid of two.

eg of a definition: <!DOCTYPE foo [ <!ENTITY myentity "my entity value" > ]> , means any usage &myentity; within the XML document it will be replaced by my entity value

<!DOCTYPE foo [ <!ENTITY ext SYSTEM "<http://normal-website.com>" > ]> - externally linked

<!DOCTYPE foo [ <!ENTITY ext SYSTEM "file:///path/to/file" > ]> - external but loaded from file

Types

Exploiting XXE to retrieve files

To get a arbitrary file from the filesystem, need to modify the XML in 2 ways:

Introduce or Edit the DOCTYPE to the path of that file
Edit a data value in the XML, thats returned in the response, to use that pre defined entity

eg - to retrieve file from /etc/passwd we can make it like this and typically the XML body would be just something like this - <stockCheck><productId>381</productId></stockCheck>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<stockCheck>&xxe;</stockCheck>

NOTE : In real world, XXE vuln has a large number of data values and any one of them can used to get a response. To test systematically, you need to test each data node in the XML individually

Lab: Exploiting XXE using external entities to retrieve files

Exploiting XXE to perform SSRF attacks

an external entity using URL needs to be defined. and that defined entity within a data value.