XXE
CWE-611: Improper Restriction of XML External Entity Reference
There are various types of XXE attacks:
XXE Attack Type | Description |
---|---|
Exploiting XXE to Retrieve Files | Where an external entity is defined containing the contents of a file, and returned in the application's response. |
Exploiting XXE to Perform SSRF Attacks | Where an external entity is defined based on a URL to a back-end system. |
Exploiting Blind XXE Exfiltrate Data Out-of-Band | Where sensitive data is transmitted from the application server to a system that the attacker controls. |
Exploiting blind XXE to Retrieve Data Via Error Messages | Where the attacker can trigger a parsing error message containing sensitive data. |
Methodology whitechaitai
Convert the content type from "application/json"/"application/x-www-form-urlencoded" to "applcation/xml".
File Uploads allows for docx/xlcs/pdf/zip , unzip the package and add your evil xml code into the xml files.
If svg allowed in picture upload , you can inject xml in svgs.
If the web app offers RSS feeds , add your milicious code into the RSS.
Fuzz for /soap api , some applications still running soap apis
If the target web app allows for SSO integration, you can inject your milicious xml code in the SAML request/reponse
Test Payload#
Using private External Entity#
Using a public External Entity#
CDATA#
Top XXE reports from HackerOne:
XXE at ecjobs.starbucks.com.cn/retail/hxpublic_v6/hxdynamicpage6.aspx to Starbucks - 308 upvotes, $4000
XXE on pulse.mail.ru to Mail.ru - 263 upvotes, $6000
XXE on sms-be-vip.twitter.com in SXMP Processor to Twitter - 250 upvotes, $10080
XXE on https://duckduckgo.com to DuckDuckGo - 209 upvotes, $0
Phone Call to XXE via Interactive Voice Response to ββββββ - 170 upvotes, $0
Partial bypass of #483774 with Blind XXE on https://duckduckgo.com to DuckDuckGo - 151 upvotes, $0
Multiple endpoints are vulnerable to XML External Entity injection (XXE) to Pornhub - 136 upvotes, $2500
XXE through injection of a payload in the XMP metadata of a JPEG file to Informatica - 128 upvotes, $0
XXE Injection through SVG image upload leads to SSRF to Zivver - 111 upvotes, $0
XXE in Site Audit function exposing file and directory contents to Semrush - 99 upvotes, $2000
[RCE] Unserialize to XXE - file disclosure on ams.upload.pornhub.com to Pornhub - 89 upvotes, $10000
XXE in DoD website that may lead to RCE to U.S. Dept Of Defense - 89 upvotes, $0
Blind XXE via Powerpoint files to Open-Xchange - 86 upvotes, $2000
blind XXE in autodiscover parser to Mail.ru - 70 upvotes, $5000
LFI and SSRF via XXE in emblem editor to Rockstar Games - 68 upvotes, $1500
Blind OOB XXE At "http://ubermovement.com/" to Uber - 55 upvotes, $500
XXE Π½Π° webdav.mail.ru - PROPFIND/PROPPATCH to Mail.ru - 54 upvotes, $10000
XXE on ββββββββββ by bypassing WAF ββββ to QIWI - 53 upvotes, $5000
[rev-app.informatica.com] - XXE to Informatica - 44 upvotes, $0
RCE via Local File Read -> php unserialization-> XXE -> unpickling to h1-5411-CTF - 43 upvotes, $0
XML External Entity (XXE) in qiwi.com + waf bypass to QIWI - 39 upvotes, $3137
Authenticated XXE to WordPress - 39 upvotes, $600
XML Parser Bug: XXE over which leads to RCE to drchrono - 32 upvotes, $700
XXE on DoD web server to U.S. Dept Of Defense - 31 upvotes, $0
Singapore - XXE at https://www.starbucks.com.sg/RestApi/soap11 to Starbucks - 28 upvotes, $500
[app.informaticaondemand.com] XXE to Informatica - 24 upvotes, $0
Blind XXE on my.mail.ru to Mail.ru - 23 upvotes, $800
Non-production Open Database In Combination With XXE Leads To SSRF to Evernote - 23 upvotes, $0
XXE in upload file feature to Informatica - 21 upvotes, $0
Last updated