{"id":4862,"date":"2017-10-26T02:18:34","date_gmt":"2017-10-25T18:18:34","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=4862"},"modified":"2017-10-26T02:28:16","modified_gmt":"2017-10-25T18:28:16","slug":"xxe-injection-attacks-xml-external-entity-vulnerability-examples","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2017\/10\/xxe-injection-attacks-xml-external-entity-vulnerability-examples\/","title":{"rendered":"XXE Injection Attacks – XML External Entity Vulnerability With Examples"},"content":{"rendered":"

XXE Injection Attacks or XML External Entity vulnerabilities are a specific type of Server Side Request Forgery or SSRF attack<\/a> relating to abusing features within XML parsers. <\/p>\n

The features these attacks go after are widely available but rarely used and when trigged can cause a DoS (Denial of Service) attack and in some cases much more serious escalation like extraction of sensitive data or in worst case scenarios RCE or Remote Code Execution.<\/p>\n

What is XML<\/h2>\n

In computing, Extensible Markup Language (XML) is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable.<\/p><\/blockquote>\n

From: https:\/\/en.wikipedia.org\/wiki\/XML<\/a><\/p>\n

It’s been replaced in a lot of modern APIs by JSON, but a lot of applications still use XML and\/or have XML parsers inside so it’s good to be aware of XXE attacks as a vector.<\/p>\n

XML parsers validate data in two main ways, XXE falls within the DTD or Data Type Definition method.<\/p>\n

What is an XXE Attack<\/h2>\n

The thing is the XML entities can be defined anywhere, including externally, this is where XXE comes in and can be abused by an attacker by using XML entities to request the execution of certain files or even to return the contents of files if they know the structure of your web application for example.<\/p>\n

It\u2019s also worth mentioning, that with some XML parsers, it\u2019s even possible to get directory listings in addition to the contents of a file.<\/p>\n

XXE Attack Example<\/h2>\n
An example would look like this:<\/p>\n

Request<\/p>\n

POST http:\/\/example.com\/xml HTTP\/1.1\r\n \r\n\r\n  \r\n]>\r\n\r\n  &bar;\r\n<\/foo>\r\n\r\n<\/pre>\nResponse<\/h4>\nHTTP\/1.0 200 OK\r\n \r\nDISTRIB_ID=Ubuntu\r\nDISTRIB_RELEASE=16.04\r\nDISTRIB_CODENAME=xenial\r\nDISTRIB_DESCRIPTION=\"Ubuntu 16.04 LTS\"<\/pre>\nObviously this is a simple example, but it could be used to echo \/etc\/passwd<\/code>, get secrets from source code repos or execute malicious code (like a web shell<\/a>) if the attacker has managed to upload something.<\/p>\n
You can find out more, in much more depth, here:<\/p>\n
Part 1 – What is XML External Entity (XXE)?<\/a>
\nPart 2 – XML External Entity (XXE) limitations<\/a>
\nPart 3 – Out-of-band XML External Entity (OOB-XXE)<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
XXE Injection Attacks or XML External Entity vulnerabilities are a specific type of Server Side Request Forgery or SSRF attack relating to abusing features within XML parsers. The features these attacks go after are widely available but rarely used and when trigged can cause a DoS (Denial of Service) attack and in some cases much […]<\/p>\n","protected":false},"author":25,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"XXE Injection Attacks or XML External Entity vulnerabilities are a type of SSRF attack relating to abuse of features within XML parsers.","_seopress_robots_index":"","_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[10],"tags":[10634,300],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Darknet","author_link":"https:\/\/www.darknet.org.uk\/author\/darknet\/"},"_links":{"self":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/4862"}],"collection":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/users\/25"}],"replies":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/comments?post=4862"}],"version-history":[{"count":0,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/4862\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/media?parent=4862"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/categories?post=4862"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/tags?post=4862"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

XXE Attack Example<\/h2>\nAn example would look like this:<\/p>\n

Request<\/p>\n

XXE Attack Example<\/h2>\n
An example would look like this:<\/p>\n