Intrusionz3r0-WriteupsHacktheboxGithubLinkedln

XML External Entity (XXE) Injection

XML External Entity (XXE) Injection: A vulnerability where unsanitized XML input from users can execute malicious actions. These attacks exploit the XML parser to access system files or perform network requests, potentially disclosing sensitive data or affecting backend server performance.

Example XML Document:

XML (Extensible Markup Language): A markup language for data storage and transfer across applications.

Structure: XML documents are tree structures with elements:

  • Root Element: The primary container (e.g., <email>).

  • Child Elements: Nested data fields (e.g., <date>, <time>).

  • Tags: Surround elements (<tag>value</tag>).

  • Entities: XML variables (e.g., &lt; for <).

  • Attributes: Optional settings within tags (e.g., version="1.0").

<?xml version="1.0" encoding="UTF-8"?>
<email>
  <date>01-01-2022</date>
  <sender>john@example.com</sender>
  <body>Hello, please send the invoice.</body>
</email>

XML Document Type Definition (DTD)

DTD: Defines an XML document’s structure, specifying elements and allowed data.

  • Internal DTD: Included directly in the XML file.

  • External DTD: Referenced via SYSTEM or PUBLIC with a URL or file path.

Example DTD:

Methodology

  • Identify every functionality that processes an XML structure.

  • Attempt to inject a % to cause an error.

  • Test for simple XXE injection and check if it is reflected.

    • Error-based XXE

    • Error-based XXE using DTD

    • Exfiltrate files

    • Remote command execution

  • If you cannot define the DOCTYPE, attempt XInclude XXE.

  • If the application has functionality to process XML via SVG (e.g., image upload), attempt XXE via SVG files.

  • If in scope, try a DoS attack.

XXE Attacks

Test Vulnerability

Character to attempt: '%'

Attempt to define an entity without reference it and send the request to check if the application block external entities.

Then attempt to define it.

Note: Some web applications may default to a JSON format in HTTP request, but may still accept other formats, including XML. So, even if a web app sends requests in a JSON format, we can try changing the Content-Type header to application/xml, and then convert the JSON data to XML with an online tool. If the web application does accept the request with XML data, then we may also test it against XXE vulnerabilities, which may reveal an unanticipated XXE vulnerability.

Reading Sensitive Files

Tip: In certain Java web applications, we may also be able to specify a directory instead of a file, and we will get a directory listing instead, which can be useful for locating sensitive files.

PHP applications.

Remote Code Execution with XXE

Note: We replaced all spaces in the above XML code with $IFS, to avoid breaking the XML syntax. Furthermore, many other characters like |, >, and { may break the code, so we should avoid using them.

Error Based XXE

Host a DTD file as follows:

Payload Structure:

Error Based using DTD file

Obtain a full list of common DTD files: https://github.com/GoSecure/dtd-finder/tree/master/list

Once identified a valid payload either brute forcing via intruder or scripting then the final payload is as follows:

XInclude XXE

When you can't modify the DOCTYPE element use the XInclude to target

Payload:

Final Payload:

XXE via SVG Files

Blind XXE with out-of-band interaction

Normal out-of-band interaciton

XML parameter entities

Exfiltrate data using a malicious external DTD

Host a DTD file as follows:

Payload structure:

DOS Attack

XXEInjector

we can copy the HTTP request from Burp and write it to a file for the tool to use. We should not include the full XML data, only the first line, and write XXEINJECT after it as a position locator for the tool

LogoGitHub - enjoiz/XXEinjector: Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods.GitHub

Tools

https://www.convertjson.com/json-to-xml.htm

PreviousInsecure Direct Object Reference (IDOR)NextWeb Mass Assignment Vulnerabilities

Last updated