XXE Injection Attacks – XML External Entity Vulnerability With Examples

Outsmart Malicious Hackers


XXE Injection Attacks or XML External Entity vulnerabilities are a specific type of Server Side Request Forgery or SSRF attack relating to abusing features within XML parsers.

XXE Injection Attacks - XML External Entity Vulnerability With Examples

The features these attacks go after are widely available but rarely used and when trigged can cause a DoS (Denial of Service) attack and in some cases much more serious escalation like extraction of sensitive data or in worst case scenarios RCE or Remote Code Execution.

What is XML

In computing, Extensible Markup Language (XML) is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable.

From: https://en.wikipedia.org/wiki/XML

It’s been replaced in a lot of modern APIs by JSON, but a lot of applications still use XML and/or have XML parsers inside so it’s good to be aware of XXE attacks as a vector.

XML parsers validate data in two main ways, XXE falls within the DTD or Data Type Definition method.

What is an XXE Attack

The thing is the XML entities can be defined anywhere, including externally, this is where XXE comes in and can be abused by an attacker by using XML entities to request the execution of certain files or even to return the contents of files if they know the structure of your web application for example.

It’s also worth mentioning, that with some XML parsers, it’s even possible to get directory listings in addition to the contents of a file.

XXE Attack Example

An example would look like this:

Request

Response

Obviously this is a simple example, but it could be used to echo /etc/passwd, get secrets from source code repos or execute malicious code (like a web shell) if the attacker has managed to upload something.

You can find out more, in much more depth, here:

Part 1 – What is XML External Entity (XXE)?
Part 2 – XML External Entity (XXE) limitations
Part 3 – Out-of-band XML External Entity (OOB-XXE)

Posted in: Exploits/Vulnerabilities

,


Latest Posts:


StaCoAn - Mobile App Static Analysis Tool StaCoAn – Mobile App Static Analysis Tool
StaCoAn is a cross-platform tool which aids developers, bug bounty hunters and ethical hackers performing mobile app static analysis on the code of the application for both native Android and iOS applications.
snallygaster - Scan For Secret Files On HTTP Servers snallygaster – Scan For Secret Files On HTTP Servers
snallygaster is a Python-based tool that can help you to scan for secret files on HTTP servers, files that are accessible that shouldn't be public and can pose a s
Portspoof - Spoof All Ports Open & Emulate Valid Services Portspoof – Spoof All Ports Open & Emulate Valid Services
The primary goal of the Portspoof program is to enhance your system security through a set of new camouflage techniques which spoof all ports open and also emulate valid services on every port.
Cambridge Analytica Facebook Data Scandal Cambridge Analytica Facebook Data Scandal
One of the biggest stories of the year so far has been the scandal surrounding Cambridge Analytica that came out after a Channel 4 expose that demonstrated the depths they are willing to go to profile voters, manipulate elections and much more.
GetAltName - Discover Sub-Domains From SSL Certificates GetAltName – Discover Sub-Domains From SSL Certificates
GetAltName it's a little script to discover sub-domains that can extract Subject Alt Names for SSL Certificates directly from HTTPS websites which can provide you with DNS names or virtual servers.
Memcrashed - Memcached DDoS Exploit Tool Memcrashed – Memcached DDoS Exploit Tool
Memcrashed is a Memcached DDoS exploit tool written in Python that allows you to send forged UDP packets to a list of Memcached servers obtained from Shodan.


Comments are closed.