External XML Entity

XML External Entity (XXE) Attacks

Definition:

XXE is a type of attack against an application that parses XML input from untrusted sources. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This can lead to disclosure of internal files, denial of service, server-side request forgery, and other internal network probing.

Key Points:

  • XXE can exploit the ability of XML parsers to fetch external resources.

  • XML entities can be used to define shortcuts to strings or special characters. However, they can also be abused to pull in content from external sources.

Attack Scenario:

  1. A web application accepts XML input.

  2. An attacker sends XML with a malicious entity pointing to a file they want to access (e.g., /etc/passwd on UNIX-like systems).

  3. The server's XML parser processes the entity, reads the file, and sends the content of the file back in its response.

Example Attack:

The attacker might submit the following XML to a vulnerable endpoint:

xml
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "file:///etc/passwd">
]>
<r>&sp;</r>

If the server responds with the content of /etc/passwd, it's vulnerable to XXE.

Common Targets:

  • Web services that accept XML input.

  • Applications that utilize XML for configuration.

  • Upload functionalities that handle XML files.

  • Web applications with XML-based user input fields.

Mitigation:

  1. Disable External Entity Parsing:

    • In most XML parsers, you can disable the processing of external entities.

  2. Use a Safe XML Library:

    • Some libraries, like xml_safe in Ruby or defusedxml in Python, are designed to be resistant to XXE attacks.

  3. Implement Least Privilege:

    • If an application must parse XML, run it with the minimum necessary privileges. This limits potential damage.

  4. Input Validation:

    • Reject XML input containing entities.

    • Alternatively, use a whitelist of allowed XML structures.

  5. Network Restrictions:

    • Limit outgoing connections from servers to prevent attackers from exfiltrating data or interacting with internal services.

  6. Content Filtering:

    • Scan and filter out inbound and outbound traffic for suspicious XML content.

  7. Patch and Update:

    • Regularly update the XML parsing libraries to their latest versions to benefit from patches against known vulnerabilities.

Detection:

  1. Manual Testing:

    • Submit XML payloads with external entity references to test for XXE.

  2. Automated Scanning:

    • Tools like OWASP ZAP, Burp Suite, and others can check for potential XXE vulnerabilities.

  3. Monitoring & Logging:

    • Monitor server logs for unexpected system-level activity or outbound network traffic, which might indicate an XXE attempt.

Miscellaneous Notes:

  • Beyond the simple example given, XXE can be used in "Blind XXE" attacks where data is exfiltrated indirectly, such as via DNS queries.

  • XXE can potentially lead to full system compromise, depending on the permissions of the XML parsing process and the underlying system's configuration.

Conclusion:

XXE attacks exploit the capabilities of XML parsers to retrieve external content. A successful XXE attack can lead to sensitive data disclosure and other significant impacts. Developers should be aware of the risks associated with processing XML input and apply appropriate mitigations to prevent potential attacks.

PreviousDirectory TraversalNextFile Inclusion/Path Traversal

Last updated