XXE aka XML External Entity is an attack against an application which allows an XML input and an attacker can interfere with the application’s XML processing. In case of successful attack, the attacker can view file’s data on server, and many other attacks like path traversal, port scanning, denial of service or even access the internal machines of which the application has access (referring SSRF attack). It is ranked as 4th top attack in OWASP Top 10 (2017).
How this vulnerability arises?
When a weakly configured XML parser of application processes DTD (Document Type Declaration) i.e, internal or external, there is a high possibility that this vulnerability exists in the application. External DTD are more interesting because they allow entity’s value to be file path or URL.
External DTD Example:
POST /home/ HTTP/1.1
Host: www.idontknow.com
<?xml version=”1.0" encoding=”UTF-8"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM “file:///etc/passwd”> ]>
<foo>
&xxe;
</foo>
Let dig into some basic information:
What is XML?
XML (Extensible Markup Language) is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. It is markup language like HTML. It is quite self-descriptive.
What is DTD?
DTD stands for Document Type Definition. The purpose of DTD is to define the structure and the legal elements and attributes of an XML document. DTD starts with <!DOCTYPE delimiter. There are two types of DTD declaration:
<!DOCTYPE test
[ <!ENTITY xxe "Vulnerability">
]>
<!DOCTYPE test
[ <!ENTITY xxe SYSTEM “any_dtd_file.dtd”>
]>
Note: The XML specification does not allow you to include external entities in combination with internal entities.
#security #web-app-security #information-security #owasp #infosec