About
XXE injection attacks exploit support for XML external entities and are practiced upon web applications that process XML inputs.
Last updated
XXE injection attacks exploit support for XML external entities and are practiced upon web applications that process XML inputs.
Last updated
XML external entity injection (also known as XXE) is a type of web security vulnerability that allows an attacker to interfere with the way an application processes XML data. According to OWASP, “an XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server-side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.”
An attacker can upload (or edit) XML documents with specially crafted DOCTYPE to an XML parser with a weak security configuration to perform path traversal, port scanning, and numerous attacks, including denial of service, server-side request forgery (SSRF), or even remote code execution. Attackers can also manipulate vulnerable code and exploit third-party dependencies or integrations.
Suppose the system identifier contains tainted data, and the XML processor dereferences this tainted data. In that case, the XML processor may disclose local files on the application server file system, which may provide confidential data normally not accessible by the application. Note that the application does not need to explicitly return the response for it to be vulnerable to information disclosures since an attacker can leverage DNS information to exfiltrate data through subdomain names to a DNS server that he or she controls.
Furthermore, it frequently enables an attacker to interact with backend or external systems accessible by the application. Since the attack transpires relative to the application processing the XML document, an attacker may use this trusted application to pivot to other internal systems, possibly disclosing other internal content via HTTP(s) requests or launching a CSRF attack to any unprotected internal services.
XXE vulnerabilities apply to the category of injection attacks, which are similar to command injection (e.g., bash language injection) and SQL injection (i.e., SQL database language). Still, in the case of XXE, the attack is focusing on the XML language*.
*Extensible Markup Language, or XML for short, is a language designed to transport data while being readable by both humans and machines. For XML data to be interpreted, the applications need some form of XML parser or processor that can understand the format to either transfer the data to another format or output the result. The reason why XXE is on the OWASP’s Top 10 is mainly due to the immense popularity of its underlying “vector” – XML, a remarkably popular language, used extensively by websites.
The XML 1.0 standard defines the structure of an XML document and describes a concept of an entity.
XML entities are a way of representing a piece of data within an XML document, rather than using the data itself. They are XML shortcuts for special characters, strings, URI, and more. They look like this - &entity;.
XML external entities are a type of custom XML entity whose defined values are loaded from outside of the DTD in which they are declared. They are interesting from a security viewpoint since they allow an entity to be determined based on the contents of a file path or URL.
Several entities can access local or remote content through a declared system identifier. The system identifier is assumed to be a URI that can be dereferenced by the XML processor when processing the entity. The XML processor then replaces occurrences of the named external entity with the contents dereferenced by the system identifier. Issues occur when a weakly configured parser parses XML documents.
XXE vulnerabilities can also be similar to Local File Inclusion (LFI) and Remote File Inclusion (RFI).
There are various types of XXE attacks. XXE vulnerabilities can be exploited:
to retrieve files, where an external entity is defined containing the contents of a file and returned in the application's response;
to perform SSRF attacks, where an external entity is determined based on a URL to a back-end system.
Most straightforward XML-based denial of service attack ⇨ Resource Exhaustion Attack, also known as the Billion Laughs Attack. It doesn’t use external entities, but it relies on combining multiple XML entities that reference each other.
Many occurrences of XXE vulnerabilities are blind. In this instance, the application does not return the values of any defined external entities in its responses, and so direct retrieval of server-side files is not possible. An attacker can exploit blind XXE:
to exfiltrate data out-of-band, where sensitive information is sent from the application server to a system that the attacker controls.
to retrieve data through error messages, where the attacker can trigger a parsing error message containing sensitive data.
Blind XXE vulnerabilities can still be detected and exploited, but more advanced techniques are required.
Applications and specially XML-based web services or downstream integrations might be susceptible to XXE attack if:
The application accepts XML directly or XML uploads, especially from untrusted sources, or inserts untrusted data into XML documents, which is then parsed by an XML processor.
Tainted data is allowed within the system identifier portion of the entity within the document type declaration (DTD).
The XML processor is configured to validate and process the DTD.
The XML processor is configured to resolve external entities within the DTD.
The application uses SAML for identity processing within federated security or single sign-on (SSO) purposes.
The application uses SOAP before version 1.2 if XML entities are being passed to the SOAP framework.
Being exposed to XXE attacks likely means that the application is vulnerable to denial of service attacks.
SAST tools can help detect XXE in source code, by inspecting dependencies and configuration, although manual code review is the best alternative in large, complex applications with many integrations. To check systematically for XXE issues, you need to test each data node in the XML individually, by attaining your defined entity and examining whether it appears within the response.
XXE attacks can represent a significant risk to any organization and can result in severe consequences.
The impact of a successful attack on business depends on the protection needs of all affected applications and data. Successful exploitation allows an attacker to view files from the application’s server and interact with external or backend systems that the application can access. Aside from the retrieval of sensitive data, the other main impact of XXE attacks is that it can be used to perform server-side request forgery (SSRF). It can not only affect application availability but also enable a wide variety of attacks, therefore preventing XXE attacks is essential for web application security.
As with most OWASP Top 10 vulnerabilities, the best way to prevent XXE attacks is to practice secure coding. Developer training is essential!
Besides that, to prevent XXE:
Use fewer complex data formats (such as JSON) and avoid serialization of sensitive data whenever possible.
Patch or upgrade all XML processors and libraries in use by the application or on the underlying operating system. Use dependency checkers—update SOAP to SOAP 1.2 or higher.
Disable XML external entity and DTD processing in all XML parsers in the application.
Implement positive (“whitelisting”) server-side input validation, filtering, or sanitization to deter hostile data within XML documents, headers, or nodes.
Verify that XML or XSL file upload functionality validates incoming XML using XSD validation or similar.
If these measures are not achievable, consider using virtual patching, API security gateways, or Web Application Firewalls (WAFs) to detect, monitor, and block XXE attacks.
Lastly, applications should be sandboxed so that in case of successful XXE exploit, the damage is minimized.
If all else fails, make sure XML parser doesn’t reveal errors. While this will not completely prevent an attack, it may slow down an attacker or the discovery of the issue on the system.
More about prevention here.
An XXE issue was discovered on Twitter of all sites. The exploit was remarkably simple — but cost a tremendous 10,080 USD due to its severity in allowing an attacker to read local files on the target system. You can view the full report on HackerOne.
The research team found vulnerabilities in popular Android development and reverse engineering tool Android Studio. An attacker could inject the malicious code into shared online repositories such as those on GitHub, which could lead to data exposure, as well as malicious users taking over the devices running APKTool. More about this available here.
In the Spring Web Services, multiple files throughout the component failed to sufficiently restrict the processing of malicious XML external entities and make it exposed to XXE attacks. The attacker can leverage this vulnerability to execute various XXE related attacks against the server.
Rockstar Games’ (2018): An XXE vulnerability led to an exploit of the emblem editor. The disclosed report includes code snippets and explanations from the researcher.
