XML External Entity Injection

Severity: High
Test name: XML External Entity Injection
Test ID: xxe
Summary

XML External Entity vulnerability allows an attacker to upload an XML file with a reference to an external entity without validation. The attacker exploits weakly configured XML parsers, which process the XML code. The attack can lead to gaining confidential information and even to Remote Code Execution (RCE).

Impact

The vulnerability may expose the application to the following attack vectors:

  • Gain sensitive information
  • Disclose internal content via HTTP(S) requests or launch a CSRF attack to any unprotected internal services
  • Initiate SSRF attack in applications that use XML
  • Modifying the content type of application/x-www-form-urlencoded to enable XXE with LFI
  • Leveraging XInclude for application/x-www-form-urlencoded by injecting XML parameters with XXE
  • Execute a malicious URL, possibly allowing the arbitrary code to be executed under the application account
  • Cause denial of the services (DoS)
Example

Example 1: Accessing a local resource

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE credentials [
    <!ELEMENT credentials (user, password)>
    <!ELEMENT user (#PCDATA)>
    <!ELEMENT password (#PCDATA)>
    <!ENTITY xxe SYSTEM  "file:///etc/passwd" >
]>
<credentials>
    <user>&xxe;</user>
    <password>mypass</password>
</credentials>

Example 2: Remote code execution

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ 
    <!ELEMENT foo ANY >
    <!ENTITY xxe SYSTEM "expect://id" >
]>
<credentials>
    <user>&xxe;</user>
    <password>mypass</password>
</credentials>

Example 3: XXE to perform SSRF attack

<?xml version=”1.0" encoding=”UTF-8"?>
<stockCheck><productId>3301</productId></stockCheck>
Location

The issue can be found in the source code on the server side.

Remedy suggestions
  1. Disable Document Type Declaration (DTD) completely.
  2. If it is not possible to disable DTD completely, then external entities and external document type declarations must be disabled according to each specific parser.
    • PHP
    libxml_disable_entity_loader(true);
    
    • Java (Xerces)
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
    dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
    dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
    
Classifications
  • CWE-611
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
References