While XXE has been around for a while, it was not in the OWASP top 10 2010 & 2013. It only made its first appearance in the OWASP top 10 2017 and is ranked on the 4th place.

What is XXE?

“An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.”

Wikipedia

Now it is time for the fun part, a video by Pwnfunction. This time in collaboration with John Hammond, who has a youtube channel with loads of video’s about Capture The Flag challenges.

Some key takeaways:

  • XML entities can be used to store data and thus read files like /etc/passwd for example
  • Output not showing? Try Out-Of-Band XXE. Make a request to a dtd file on your server to exfiltrate data.
  • Failed to exfiltrate certain files? Use CDATA to wrap around the content of the file.

Some payloads that might help you exploit XXE vulnerabilities (by EdOverflow).

EXTRA VIDEO: A CTF challenge using XXE by John Hammond

EXTRA VIDEO: BLIND XXE OOB over DNS by STÖK

Impact

XXE can have different scenario’s, the most common one is to read local files on the server. But it is often also possible to not only link local resources but also those hosted online and in the internal network of the company. It’s sometimes even possible to escalate XXE to RCE as you can read in the following write-ups.

Local File Inclusion (LFI)

Extracting information by uploading and downloading an excel file (by Jonathan Bouman)

XXE in IBM’s MaaS360 Platform (by Cody Wass)

Remote Code Execution (RCE)

XXE in OpenID affecting facebook (by Reginaldo Silva)

RCE via XXE & SSRF on netgear stora, seagate home and medion lifecloud NAS (by Paulos Yibelo)

Server Side Request Forgery (SSRF)

A story about exploiting XXE by one of our best researchers (by Pieter)

Internal port scanning

If internal port scanning is the only thing you can do, it would be accepted as low since it is not really impactful.

Denial of Service (DoS)

It’s possible to use XML to execute a denial-of-service attack on the server. This is called exponential entity expansion attack aka XML bomb aka Billion Laughs Attack. An attack consists of 10 entities and each entity refers to the previous entity 10 times. Thus trying to print the string (“lol”) a billion times.

A write-up with a more in-depth explanation about the Billion Laughs Attack.

Don’t be this kind of researcher

EXTRA: A write-up about a web challenge on the Cyber Security Challenge Belgium. It’s a CTF challenge made by Arne Swinnen, but a challenge that definitely can occur in live websites.

Time for practice!

Pentesterlab has some great content. And lucky for you guys, he has some free exercises as well, one of which is about XXE. So go check it out, good luck and maybe consider subscribing to Pentesterlab PRO to unlock more content and awesome exercises.

A must read including exercises Web Security XXE by Portswigger.

How to prevent XXE?

Preventing XXE can often be as simple as just disabling external entities. If that is not possible, then external entities and external document type declarations (DTD) must be disabled in the way that’s specific to each parser. Or you can consider switching to json.
You can find more information in the prevention cheat sheet for different programming languages by OWASP.

Want more?

Follow us on twitter and don’t forget to subscribe to our weekly Bug Bytes, a newsletter curated by Pentester Land & powered by intigriti containing more write-ups and helpful resources.