XML external entity (XXE) injection

Tram Ho

0. Introduction

XXE (XML external entity) injection is a long-standing vulnerability and currently the coverage of XML on Web Applications has also decreased slightly. However, this is a vulnerability that once appeared, it is assessed as serious. And there is a slight omission when I search on Viblo about XXE, I do not see any articles about it, it is no coincidence that in 2017, XXE ranked top 4/10 in the Top 10 Web Application Security Risks of OWASP !

1. About XML

I intend to quote the definition of XML on wikipedia , but it seems a bit complicated. So I quote about XML from W3School at this link .

So XML is translated into an extensible markup language, designed for the purpose of storing and transmitting data and can be read by both humans and “machines”.

More specifically, they are files with the .xml extension, which simplifies the sharing of data between different systems, so there are many markup languages ​​or other applications based on. XML for different purposes (For example: RDF, RSS, MathML, XHTML, SVG, …); And of course the file extension will also be different. But essentially all through the use of tags that define document structure and how documents are stored, read and transported.

For example:

The first line is XML declaration, it should be, not required. In the body, for every pair of open-close tags in XML forms an element, and these elements are nested to form a tree structure. Of course, there will be provisions on syntax, declaration, nested elements, adding attributes to tags …, but that is not the main topic of this article.

2. About External Entity in XML

The external entity declaration is the key point in the XXE attack technique. So what is it ?

2.1 DTD

Let’s first learn about DTD (document type definitions) – which translates into DTD for “document type definition” by defining the structure as well as specifying the valid format of elements and attributes in the xml file.

If the DTD is defined inside an xml file, it is called Internal DTD . And the example below is an example of an External DTD . That is, the DTD itself is a file, outside of the xml file. Example from w3schools :

So in this XML file, in addition to the declaration XML part as in the example in part 1, there is also the declaration DOCTYPE declaration . This section contains a reference to a DTD file named Note.dtd . Its contents:

The Note.dtd file content indicates certain constraints with the .xml file. For example, each note element must include other elements within it: to, from, heading, body, or define which elements must be of what type (here #PCDATA – parsed character data – is simply the data in text format).

So DTD helps xml files to unify a specified standard / format, so it is easier to determine the structure of the data, especially when transferring files from one place to another, users can use DTD. to verify that the xml file is the same as the desired standard / format.

In addition to the DTD, the xml file can be “defined” by another type, the XML Schema Definition (XSD) – defined by the schema. But only DTD caused XXE Injection error.

2.2 DTD Entity

We can simply understand DTD Entity as variables in programming.

DTD Entity also has internal and external!

See the example of the Internal DTD Entity:

Example of External DTD Entity:

2.3 External Entity

In order to process xml files, every application needs an XML parser (also known as an XML processor) to process the xml file and output it. When we declare an entity, the parser will automatically replace the value of the entity where the entity is reported.



We can see in the DOCTYPE declaration , in addition to declaring elements, it declares an entity named bar and the value of the response is also the value of the bar – an external entity.

At this point, the concept of External Entity is relatively clear. The question is what can it do?

2.3.1 Denial of service

This is a type of attack called the Billion laughs attack . In fact, this is just the Internal entity. Example from wikipedia:

Calling entity lol9 with the syntax & lol9 , it looks harmless, but from lol9 to lol it was 10 ^ 10 times that the word “lol” is called through the entities in turn, equivalent to over 1,000,000,000 words “lol” need processed by xml parser. This causes over load parser and leads to DoS.

2.3.2 File Disclosure

Do you still remember the syntax of External DTD Entity above?

Here, if a hacker declares a URI (or with XML it is called the system identifier) ​​and the parser is configured to handle external entities, it can lead to huge problems.



2.3.3 SSRF

Replace the above payload with:



2.3.4 Access Control Bypass (Loading Restricted Resources – PHP example)

See more here .

3. Example and conclusion

I take an example from some labs of portswigger.net – a famous company with a lot of research, articles, software and especially the professionally created labs.

Example of File Disclosure:

Request used to check the number of products available:


Edit request:

And the response received is the file content in the URI we define above:

Life is not like a dream and life is not easy to breathe. In fact, to successfully exploit XXE requires more techniques than copy – paste the above payloads. The techniques can be mentioned as Out-of-band XML External Entity (OOB-XXE), Blind XXE … and especially if the application is configured like this, then bear:

The error is Server-side and the effect is obvious. So if your application uses XML or Markup Language, another XML-based application to process, send and receive data … then make sure they are not suffering from this serious vulnerability!

4. References









https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE Injection

Share the news now

Source : Viblo