XXE aka XML External Entity is an attack against an application which allows an XML input and an attacker can interfere with the application’s XML processing. In case of successful attack, the attacker can view file’s data on server, and many other attacks like path traversal, port scanning, denial of service or even access the internal machines of which the application has access (referring SSRF attack). It is ranked as 4th top attack in OWASP Top 10 (2017).
How this vulnerability arises?
When a weakly configured XML parser of application processes DTD (Document Type Declaration) i.e, internal or external, there is a high possibility that this vulnerability exists in the application. External DTD are more interesting because they allow entity’s value to be file path or URL.
External DTD Example:
POST /home/ HTTP/1.1
Host: www.idontknow.com
<?xml version=”1.0" encoding=”UTF-8"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM “file:///etc/passwd”> ]>
<foo>
&xxe;
</foo>
Let dig into some basic information:
What is XML?
XML (Extensible Markup Language) is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. It is markup language like HTML. It is quite self-descriptive.
What is DTD?
DTD stands for Document Type Definition. The purpose of DTD is to define the structure and the legal elements and attributes of an XML document. DTD starts with <!DOCTYPE delimiter. There are two types of DTD declaration:
- Internal DTD declaration: When the elements are declared within the XML.
<!DOCTYPE test
[ <!ENTITY xxe "Vulnerability">
]>
- External DTD declaration: When the elements are declared outside the XML. They are accessed by specifying the system attributes which may be either the legal .dtd file or a valid URL.
<!DOCTYPE test
[ <!ENTITY xxe SYSTEM “any_dtd_file.dtd”>
]>
Note: The XML specification does not allow you to include external entities in combination with internal entities.
#security #web-app-security #information-security #owasp #infosec
