XXE Injection

XXE Injection stands for XML External Entity Injection where the XML input inside an application is exploited. This vulnerability can be leveraged to disclose local files, make server-side requests, or execute remote code.

What is XML?

Extensible Markup Language is used to store data that is both human readable and machine parseable. It's a popular format to exchange data between systems and applications. XML consists of elements, attributes, and character data, which are used to represent data in a structured and organized way.

XML Syntax

The tags and structure used here resembles HTML's structure and syntax a lot. 

<?xml version="1.0" encoding="UTF-8"?>
<user id="1">
   <name>John</name>
   <age>30</age>
   <address>
      <street>123 Main St</street>
      <city>Anytown</city>
   </address>
</user>

Here name is an element with John as the content and id as the attribute for the user.

Use cases

XML is used in configuration files and to store and exchange data amongst systems and APIs.

XSLT

Extensible Stylesheet Language Transformation is used to transform XML documents and formatting. It's very useful for XXE injection in the following ways.

  • Data Extraction: Extracting credentials or other sensitive data from XML files

  • Entity Expansion: Malicious entities can be injected inside XML

  • Data Manipulation: Manipulating existing data inside an XML and replacing it with malicious data to exploit the XXE vuln.

  • Blind XXE: Here malicious entities can be injected in an XML file without seeing the server's response.

DTD (Document Type Definitions)

Define the structure and constraints of an XML document. DTDs can be internal inside an XML file or in a separate file.

Purpose of DTDs:

  • Validate the structure of XML and ensure that it meets a necessary criteria

  • Define entities that can be used inside XML files which is crucial to XXE injection.

External entities are referenced using SYSTEM keyword and internal ones are referred to as using <!DOCTYPE. 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE config [
<!ELEMENT config (database)>
<!ELEMENT database (username, password)>
<!ELEMENT username (#PCDATA)>
<!ELEMENT password (#PCDATA)>
]>
<config>
<!-- configuration data -->
</config>

PreviousRegex OperatorNextXML Entities

Last updated