What is XML External Entity - XXE?
XXE is XML External Entity which arises when server-side XML parser parses an XML file insecurely or server treats input from "GET" or "POST" request as an XML. A malicious user can provide payloads in the form on external entities in XML file sent to the server
How does an XXE work?
- An attacker can access the server's Internal files with SSRF attacks.
- An attacker can access the client's Cookies with using XSS attacks.
- An attacker can execute commands on the server's shell.
- An attacker can perform RCE(Remote Code Execution) via SSRF attacks.
What are the types of XXE?
We can categories XXE in following types:
- In-Band XXE
- Out of Band XXE
- Blind Error Based XXE
Example:
Let's understand XXE with a basic example. Please assume that an application of a college is having a filter option and the following XML file is used as an input to an insecure parser:
What is XML External Entity - XXE?
XXE is XML External Entity which arises when server-side XML parser parses an XML file insecurely or server treats input from "GET" or "POST" request as an XML. A malicious user can provide payloads in the form on external entities in XML file sent to the server
How does an XXE work?
Before understanding the attack let's have some ideas regarding XML files, XML entities, XML DTD and External Entities. XML (Extensible Markup Language) is a language used to storing and transporting the data. XML uses a tree structure of tags but XML is not using predefined tags like HTML. These tags are also known as XML Entities. XML uses DTD (Document Type Declaration) to define the structure of an XML file. XML uses two types of DTD, External DTD, and Internal DTD. External DTD loads structure declaration from outside of the file. Like External DTD, External Entities are also used in XML which loads data from outside of the XML file.
XXE injection attack is performed by an attacker to load external data into an XML file. When server parses this input XML insecurely, external data is loaded and malicious payload executes.
What attacker can do by exploiting XXE?
XXE attack is performed by an attacker to retrieve the server's internal files, to perform SSRF attacks, to perform XSS attacks and to perform Command Injection attacks. XXE Injection may be more harmful as may attacks can be performed via XXE. XXE is used by the attacker to bypass client-side validations.
- An attacker can access the server's Internal files with SSRF attacks.
- An attacker can access the client's Cookies with using XSS attacks.
- An attacker can execute commands on the server's shell.
- An attacker can perform RCE(Remote Code Execution) via SSRF attacks.
We can categories XXE in following types:
- In-Band XXE
- Out of Band XXE
- Blind Error Based XXE
Let's understand XXE with a basic example. Please assume that an application of a college is having a filter option and the following XML file is used as an input to an insecure parser:
<?xml version="1.0" encoding="UTF-8"?>
<filter>
<semester>3</semester>
<branch>CE</branch>
</filter>
<?xml version="1.0" encoding="UTF-8"?>
<filter>
<semester>3</semester>
<branch>CE</branch>
</filter>
<filter>
<semester>3</semester>
<branch>CE</branch>
</filter>
If server is parsing this file insecurly on server-side, an attacker can provide following payload to exploit the XXE:
If server is parsing this file insecurly on server-side, an attacker can provide following payload to exploit the XXE:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE name [<!Entity brn SYSTEM "file:///etc/passwd">]>
<filter>
<semester>3</semester>
<branch>&brn;</branch>
</filter>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE name [<!Entity brn SYSTEM "file:///etc/passwd">]>
<filter>
<semester>3</semester>
<branch>&brn;</branch>
</filter>
An attacker has injected an external entity named "brn' and when server will parse the XML file brn variable will load password file of linux file system as shown in example below:
An attacker has injected an external entity named "brn' and when server will parse the XML file brn variable will load password file of linux file system as shown in example below:
Invalid product ID: root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
...
Invalid product ID: root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
...
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
...
How to prevent XXE?
How to prevent XXE?
A developer can disable the resolution of the external entities to prevent the XXE attacks. Moreover, the disabling support of XInclude would be great to make it more secure.
Reference:
0 Comments