What Is XML External Entity (XXE)?
SSRF attacks come in many varieties. We take a look at the XXE and explore how it's used to wreak havoc and how you can recognize it.
Join the DZone community and get the full member experience.
Join For FreeXML External Entity (XXE) refers to a specific type of Server-Side Request Forgery (SSRF) attack, whereby an attacker is able to cause Denial of Service (DoS) and access local or remote files and services, by abusing a widely available, rarely used feature in XML parsers.
XML is a vastly used data format found in everything from web services (XML-RPC, SOAP, REST, etc.) to documents (XML, HTML, DOCX) and image files (SVG, EXIF data, etc.) use XML. Naturally, where there is XML, there is an XML parser – hold onto that thought, we’ll be coming back to it shortly.
The following is an example of a simple web application that accepts XML input, parses it, and outputs the result.
| Request | Response |
|---|---|
|
|
XML, however, can do much more than simply declare elements, attributes, and text. XML documents can specify a set of markup declarations that define a document type, in order for an XML parser to validate the XML document for correctness before it gets processed. There are two ways of doing this – either through an XML Schema Definition (XSD), or a Data Type Definition (DTD).
Data Type Definitions (DTDs), are what we shall be focusing on since that’s where XML External Entity vulnerabilities occur. DTDs can, pretty much, be considered legacy, in fact, they are derived from SGML (XML’s ancestor).
The following is an example of a Data Type Definition (DTD) called foo with an element calledbar, which is now an alias of the word “World.” Therefore, anytime &bar; is used, the XML parser will replace that entity with the word “World.”
| Request | Response |
|---|---|
|
|
While this initially seems harmless, XML entities can be used by an attacker to cause a Denial of Service attack by embedding entities within entities within entities. This attack is commonly referred to as the “Billion Laughs Attack.” Some XML parsers automatically limit the amount of memory they can use.
| Request | Response |
|---|---|
|
|
XML entities, however, can be used for much more than Denial of Service since XML entities do not necessarily have to be defined in the XML document. In fact, XML entities can come from just about anywhere – including external sources, hence the name XML External Entity (XXE). This is where XXE becomes a type of Server-Side Request Forgery (SSRF) attack.
An attacker can make the following request, and if the XML parser is configured to process external entities (by default, many popular XML parsers are configured to do so), it will return the contents of a file on the system.
| Request | Response |
|---|---|
|
|
Of course, an attacker is not limited to system files. An attacker can easily steal source code if they know the location and structure of the web application. It’s also worth mentioning, that with some XML parsers, it’s even possible to get directory listings in addition to the contents of a file.
XML External Entity can be taken even further by making regular HTTP requests to files on the local network (i.e. accessible only behind the firewall).
| Request | Response |
|---|---|
|
|
Published at DZone with permission of Ian Muscat, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.
Comments