XXE: Web App Security Basics

XXE: Web App Security Basics

XXE aka XML External Entity is an attack against an application which allows an XML input and an attacker can interfere with the application’s XML processing. In case of successful attack, the attacker can view file’s data on server, and many other attacks like path traversal, port scanning, denial of service or even access the internal machines of which the application has access (referring SSRF attack). It is ranked as 4th top attack in OWASP Top 10 (2017).

XXE aka XML External Entity is an attack against an application which allows an XML input and an attacker can interfere with the application’s XML processing. In case of successful attack, the attacker can view file’s data on server, and many other attacks like path traversal, port scanning, denial of service or even access the internal machines of which the application has access (referring SSRF attack). It is ranked as 4th top attack in OWASP Top 10 (2017).

How this vulnerability arises?

When a weakly configured XML parser of application processes DTD (Document Type Declaration) i.e, internal or external, there is a high possibility that this vulnerability exists in the application. External DTD are more interesting because they allow entity’s value to be file path or URL.

External DTD Example:

POST /home/ HTTP/1.1
Host: www.idontknow.com

<?xml version=”1.0" encoding=”UTF-8"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM “file:///etc/passwd”> ]>
<foo>
 &xxe;
</foo>

Let dig into some basic information:

What is XML?

XML (Extensible Markup Language) is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. It is markup language like HTML. It is quite self-descriptive.

What is DTD?

DTD stands for Document Type Definition. The purpose of DTD is to define the structure and the legal elements and attributes of an XML document. DTD starts with <!DOCTYPE delimiter. There are two types of DTD declaration:

  • Internal DTD declaration: When the elements are declared within the XML.
<!DOCTYPE test 
[ <!ENTITY xxe "Vulnerability"> 
]>
  • External DTD declaration: When the elements are declared outside the XML. They are accessed by specifying the system attributes which may be either the legal .dtd file or a valid URL.
<!DOCTYPE test 
[ <!ENTITY xxe SYSTEM “any_dtd_file.dtd”>
]>

Note: The XML specification does not allow you to include external entities in combination with internal entities.

security web-app-security information-security owasp infosec

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

SSRF: Web App Security Basics

Server-Side Request Forgery (SSRF) is a type of exploit where an attacker can use the functionality of a server for his benefit, to access or manipulate information in the network of the server, which would be not accessible directly to the attacker.

How long does it take to develop/build an app?

This article covers A-Z about the mobile and web app development process and answers your question on how long does it take to develop/build an app.

Best Custom Web & Mobile App Development Company

Top Web & Mobile Application Development Company in India & USA. We specialize in Golang, Ruby on Rails, Symfony, Laravel PHP, Python, Angular, Mobile Apps, Blockchain, & Chatbots

Progressive Web Apps or Native Apps, Tips to choose the best for your app in 2020

Progressive Web Apps or Native Apps, if you are in a dilemma of selecting the better one for your requirements these pointers will help make an informed decision.

OWASP Top 10 API Security - DZone Security

Take a look at the top 10 OWASP security risks, learn what each of them means, and how you can mitigate them.