XML External Entity (XXE) is an attack where application process user-provided data without disabling the reference to external resource this is due to the weakly configured XML parser for the document type declaration (DTD). XML parser in the application supports external reference by-default even though the application does not or rarely use it.
External Entities in an application can reference the files on the file system to lead sensitive information disclosure, arbitrary file accessing or denial of service etc. Further using this one can access a local file containing the username, passwords and relative paths in the system identifier.
For demo using the Mutillidae application to execute the XXE attacks, which contains an XML validator function (figure1) and is not configured for the XML parser for user entered inputs.
Figure 1 XML Validator
One must design the payloads considering the application environment and web server used, here validating simple xml code as shown in the below figure
Code:
<?xml version=”1.0″ encoding=”UTF-8″?>
<note>
<to>Tove</to><from>Jani</from>
<heading>Reminder</heading>
<body>Don’t forget me this weekend!</body>
</note>
Figure 2 XML Validation in the Application
Extending the code to check whether parser executes the DTD references supplied by the user and trying to accessing the robts.txt file in the application as show in the figure 3
<?xml version=”1.0″?> <!DOCTYPE change-log [ <!ENTITY systemEntity SYSTEM “robots.txt”> ]> <change-log> <text>&systemEntity;</text>; </change-log>
Figure 3 Accessing robots.txt
From above it is clear that application is executing the DTD entity references and modifying the payload to the local files as shown below,
<?xml version=”1.0″?><!DOCTYPE change-log [<!ENTITY systemEntity SYSTEM “file:///etc/passwd”>]><change-log><text>&systemEntity;</text></change-log>
In the above payload the entity is referencing the local file of etc/passwd which results with all users details in the file as shown in the below figure.
Figure 4 User input fetching etc/passwd file details
Design the payloads to a type of attack or information want to fetch from the server, below shown using the misconfiguration executing cross-site scripting attacks gain the cookie details.
Figure 5 XXE to Cross-Site Scripting
To mitigate XXE attacks in the application follow the below-mentioned practices
- Disable the parser for processing the XML Documents from untrusted sources
- Disable the DOCTYPE tag or use input validation methods to block input containing the keyword in user-supplied data.
Reference:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
About Author:
Prakash Dhatti, is an Information Security enthusiast working as Information Security Consultant @ISECURION and interested in the application and network security.