XXE
Brief
An XXE is a type of attack that is performed against an application in order to parse its XML input. In this attack XML input containing a reference to an external entity is processed by a weakly configured XML parser. Like in Cross-Site Scripting (XSS) we try to inject scripts similarly in this we try to insert XML entities to gain crucial information.
It is used for declaration of the structure of XML document, types of data value that it can contain, etc. DTD can be present inside the XML file or can be defined separately. It is declared at the beginning of XML using .
There are several types of DTDs and the one we are interested in is external DTDs. There are two types of external DTDs:
SYSTEM: System identifier enables us to specify the external file location that contains the DTD declaration
In this XML external entity payload is sent to the server and the server sends that data to an XML parser that parses the XML request and provides the desired output to the server. Then server returns that output to the attacker.
Impacts
OWASP TOP 10 : SSRF, DoS, RCE, XSS
The CVSS score of a XXE is 7.5 and its severity is Medium with :
CWE-611: Improper Restriction of XML External Entity.
CVE-2019-12153: Local File SSRF
CVE-2019-12154: Remote File SSRF
CVE-2018-1000838: Billion Laugh Attack
CVE-2019-0340: XXE via File Upload
XXE to SSRF
Payloads
Local File Inclusion
With bWAPP
XXE Billion Laugh Attack-DOS
These are aimed at XML parsers in which both, well-formed and valid, XML data crashes the system resources when being parsed. This attack is also known as XML bomb or XML DoS or exponential entity expansion attack.
XXE File Upload
XXE can be performed using the file upload method.
XXE to RCE
POC with XXELAB
Last updated
