XXE injection is a web security vulnerability that allows an attacker to interfere with an application’s processing of XML data.
Let’s learn the different ways we can do this in our daily #FromZeroToHacker challenge.
| Table of contents |
| Introduction |
| What have I learnt today? |
| Stats |
| Resources |
Introduction to XXE attacks
An XML External Entity (XXE) attack is a vulnerability that abuses features of XML data. It allows an attacker to interact with the backend or external systems that an application can access, allowing the attacker to read files on that system. Yes, /etc/passwd included.
We can also cause Denial of Service (DoS) or Server-Side Request Forgery (SSRF), inducing the web application to make requests to other applications. Even enabling port scanning or Remote code execution.
What have I learnt today?
eXtensible Markup Language
What is XML?
XML (or eXtensible Markup Language) is a markup language that defines a set of rules for encoding documents, used for storing and transporting data.
Why use XML?
- XML is platform and programming language agnostic.
- The data stored and transported can be changed at any point.
- XML allows validation using DTD and schema.
- XML simplifies data sharing between various systems.
Syntax
Every XML document starts with the XML Prolog:
<?xml version="1.0" encoding="UTF-8"?>
This specifies the XML version and the encoding used. This line is not compulsory, but it is “good practise”.
Also, every XML document MUST contain a ROOT element:
<?xml version="1.0" encoding="UTF-8"?> <mail> <to>falcon</to> <from>feast</from> <subject>About XXE</subject> <text>Teach about XXE</text> </mail>
Here, the mail component is the ROOT element and has 4 children elements. Any document without a ROOT element is invalid.
Remember too that XML is a case-sensitive language.
We can also add attributes too, in a similar fashion as in HTML:
<text category = "message">You need to learn about XXE</text>
DTD
DTD stands for Document Type Definition. DTD defines the structure and elements and attributes of an XML document. For example, for the note.dtd file we have:
<!DOCTYPE note [ <!ELEMENT note (to,from,heading,body)> <!ELEMENT to (#PCDATA)> <!ELEMENT from (#PCDATA)> <!ELEMENT heading (#PCDATA)> <!ELEMENT body (#PCDATA)> ]>
We can use this DTD to validate the information of an XML document. Here is an XML document that uses note.dtd:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE note SYSTEM "note.dtd"> <note> <to>falcon</to> <from>feast</from> <heading>hacking</heading> <body>XXE attack</body> </note>
- !DOCTYPE note: Defines a root element of the document named note.
- !ELEMENT note: Defines that the note element must contain the elements to, from, heading and body.
- !ELEMENT to, from, heading, body: The different elements that use the type
#PCDATA #PCDATAmeans parseable character data.
XXE payload
Let’s see some XXE payloads and how they work.
1) This first payload is pretty simple:
<!DOCTYPE replace [<!ENTITY name "feast"> ]> <userInfo> <firstName>falcon</firstName> <lastName>&name;</lastName> </userInfo>
Here, we define an ENTITY called name with the assigned value of feast. It has the firstName and lastName ELEMENTS with some #PCDATA values.
2) We can use XXE to read a file from the system:
<?xml version="1.0"?> <!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]> <root>&read;</root>
Here, we define an ENTITY with the name read, but setting its value to SYSTEM, and the path of the file we want to be read.
If we use this payload in a vulnerable to XXE website, it would display the content of the etc/passwd file.
Exploiting
We saw some payloads, now let’s see them in action.
1) Let’s see how the website would look if we use the payload for displaying the name:
On the left, we can see the burp request sent with the URL-encoded payload, and on the right, we see that the payload was able to display the name falcon feast.
2) Let’s try to read the etc/passwd file:
Seems like reading the files of a system could be useful, right? 🙂
Summary
Things we learned today:
- What an XXE vulnerability is.
- What XML is.
- How we can use DTD to validate the structure of XML files.
- View some XXE payloads
- Applied said XXE payloads to websites vulnerable to XXE attacks.
Stats
From 67.173th to 67.206th.
Here is also the Skill Matrix:
