XML External Entity Injection
Severity: High
Test name: XML External Entity Injection
Test ID: xxe
Test name: XML External Entity Injection
Test ID: xxe
Summary |
---|
XML External Entity vulnerability allows an attacker to upload an XML file with a reference to an external entity without validation. The attacker exploits weakly configured XML parsers, which process the XML code. The attack can lead to gaining confidential information and even to Remote Code Execution (RCE).
Impact |
---|
The vulnerability may expose the application to the following attack vectors:
- Gain sensitive information
- Disclose internal content via HTTP(S) requests or launch a CSRF attack to any unprotected internal services
- Initiate SSRF attack in applications that use XML
- Modifying the content type of
application/x-www-form-urlencoded
to enable XXE with LFI - Leveraging XInclude for
application/x-www-form-urlencoded
by injecting XML parameters with XXE - Execute a malicious URL, possibly allowing the arbitrary code to be executed under the application account
- Cause denial of the services (DoS)
Example |
---|
Example 1: Accessing a local resource
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE credentials [
<!ELEMENT credentials (user, password)>
<!ELEMENT user (#PCDATA)>
<!ELEMENT password (#PCDATA)>
<!ENTITY xxe SYSTEM "file:///etc/passwd" >
]>
<credentials>
<user>&xxe;</user>
<password>mypass</password>
</credentials>
Example 2: Remote code execution
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "expect://id" >
]>
<credentials>
<user>&xxe;</user>
<password>mypass</password>
</credentials>
Example 3: XXE to perform SSRF attack
<?xml version=”1.0" encoding=”UTF-8"?>
<stockCheck><productId>3301</productId></stockCheck>
Location |
---|
The issue can be found in the source code on the server side.
Remedy suggestions |
---|
- Disable Document Type Declaration (DTD) completely.
- If it is not possible to disable DTD completely, then external entities and external document type declarations must be disabled according to each specific parser.
- PHP
libxml_disable_entity_loader(true);
- Java (Xerces)
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
Classifications |
---|
- CWE-611
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
References |
---|
Updated 2 months ago