The XXE attack has been around for a few years, but hasn’t gotten much attention until the last couple of years with some high-profile cases in Facebook and PayPal.
So, what is the XML External Entity attack? XXE is an abbreviation for XML External Entity. It is a part of the XML spec that allows a document to have entities that resolve to someplace external (not within the same document).
Some basic examples demonstrate the concept describe it best. For example, let’s say that we have a web app that takes as input an xml file and displays it in a table.
Here’s a sample input file-
1 2 3 4 5 6 7 8 9 10 11 12 13
<?xml version="1.0" encoding="utf-8"?> <contacts> <contact> <login>bobw</login> <name>Bob Walker</name> <email>firstname.lastname@example.org</email> </contact> <contact> <login>ajones</login> <name>Alice Jones</name> <email>email@example.com</email> </contact> </contacts>
This is processed and displays the following-