Open in app

Sign in

Write

Sign in

XML External Entities (XXE)

Pradeep Bhattarai
CryptoGen Nepal
2 min readOct 15, 2021

--

XML External Entities, also known as XXE is listed as the A4: 2017 XML External Entities in the OWASP top 10 2017. This type of attack occurs when the external entities referenced to the XML input are processed within the weakly configured XML parser. The attack can lead to the disclosure of sensitive information, denial of services, server-side request forgery (SSRF), etc.

Threat Agents:

This vulnerability can be exploited within the vulnerable XML parsers if the attacker can upload the XML document containing the malicious payload to exploit the vulnerable code, integrations, or dependencies.

Security Weakness:

Older XML parsers/processors allow the specification of the external entity, during this process the URI is dereferenced and evaluated during the processing of XML. This is not commonly tested as of 2017 as this requires manual steps for detection and exploitation.

Impacts:

XXE can be utilized by the attacker to execute requests remotely, extract sensitive files within the server, perform internal system scans, perform DOS, etc. Whereas the effect in the business depends upon the protection needs and impact level of the affected web app and data.

Exploitation of XXE

Some of the common exploitation scenarios for XXE:

Retrieve sensitive files:

Sensitive files like reading of configuration files, database credentials, environment files (.env), hardcoded sensitive credentials, etc. can be read by utilizing the XXE flaw in the web app.

DOS in the web app:

The attacker can try to read the endless file like /dev/random to make a DOS attack within the web app.

Remote code execution:

If the expected module within PHP is enabled, the attacker can easily conduct the RCE attack within the web app. Example:

Impact:

  • Maliciously extract sensitive files (Read local files)
  • Perform DOS attack
  • Perform SSRF attack
  • Perform internal services scan

Mitigation Strategy:

  • Using less complex data formats like JSON,
  • Avoiding serialization of sensitive data
  • Disable XML external entity and DTD processing in all XML parsers
  • Implement server-side input validation, filtering or sanitizing the data
  • Patch/upgrade the XML processors and libraries used in the web app

References:

https://portswigger.net/web-security/xxe

https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing

https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)

https://www.acunetix.com/blog/articles/xml-external-entity-xxe-vulnerabilities/

https://www.synack.com/blog/a-deep-dive-into-xxe-injection/

Cryptogennepal
Xxe
Owasp Top 10
Xml External Entities
Cgn

--

--

Pradeep Bhattarai
CryptoGen Nepal

Written by Pradeep Bhattarai

25 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams