search

XXE

XML External Entity

hashtag
Extensible Markup Language (XML)

A language designed to store and transport data similar to JSON.

hashtag
basic structure of XML

Document Type Definition (DTD): defines the structure and the legal elements and attributes of an XML document.

Entity: acts as a variable.

External Entity: loads its data from an external source such as url or a file on disk.

  • 💡Note: to read the data the entity must be returned in the response.

  • EX: <!DOCTYPE foo[ <!ENTITY ext SYSTEM "file:///path/to/file" > ]>

hashtag
XML External Entity(XXE) Attack

hashtag
Description

Appears when an application parses XML.

hashtag
Impact

Read arbitrary files which can lead to fully compromising a machine.

hashtag
Indicator

Whenever you see XML you should test for XXE.

  • <?xml version="1.0" encoding="UTF-8"?>

hashtag
Exploitation

💡If the server does not block external entities the response will be reflected

To test for XXE -> put in a malicious external entity and replace each node value with it.

Scenario: Retrieving the contents of the /etc/passwd file

XML Normal code

TO DO:

  1. Create an external entity to grab the data in the /etc/passwd file

  2. Store it in the entity xxe

  3. Place the variable in the node

PreviousCSTINextCSP Bypass

Last updated