What is XML External Entity Injection? Find, Test and Prevent XXE Vulnerabilities
What is XML External Entity Injection?
XML external entity injection or XXE, is a type of web security vulnerability and an application-layer cybersecurity attack. This vulnerability allows the hacker to interfere with an application while it is processing XML data.
The attacker can inject unsafe XML entities into the application and can interact with systems to which the application has access. The hackers can also view files on the server and even perform remote code execution (RCE).
Outdated or not adequately configured XML parsers cause XXE vulnerabilities. The attacker can exploit the underlying server or other back-end infrastructure through the XXE attack. They can also use the XXE vulnerability to make server-side request forgery (SSRF) attacks as well. XXE vulnerabilities can also cause local file inclusion (LFI), directory traversal, network port scanning, and denial of service (DoS).
Impact of XXE Attacks
The XXE attacks impact both the application and other systems connected to it. Let’s get to know in detail the impacts of XXE attacks:
Password Retrieval
Hackers can retrieve sensitive data like passwords from the vulnerable application. This may cause unauthorized access to user accounts and further exploit them.
Directory Traversa
The hackers can also perform directory traversal and get access to sensitive paths on the local server. This threat may expose configuration files, user data, and other important information to the hacker.
Denial of Service (DoS)
The attacker can access a large number of resources or open too many threads on the local server to perform a denial of service (DoS). The DoS will make the server unresponsive and will disrupt the service for actual users.
Access to Connected Systems
The hackers can gain access to other connected systems with the application through the attack. This impact will compromise the entire network and will cause widespread data breaches.
Port Scanning and SSRF
In connected systems, the attacker can perform port scanning or server-side request forgery (SSRF) attacks. This attack will reveal open ports and will help the attacker in exploiting internal services.
Remote Code Execution
In some cases, if the XML processor library is vulnerable to client-side memory corruption issues, then hackers can also perform remote code execution through the application.
What Are the Types of XXE Attacks?
Now, let us discuss the types of XML external entity attacks.
XXE Attack to Retrieve Files
In an XXE attack, the attacker modifies the submitted XML of an application to retrieve any arbitrary file from the server’s filesystem. The attacker creates a DOCTYPE element and introduces it to the application as an external entity. This entity has the path to the file in it. Then, the attacker reaches the file and edits the XML data value.
XXE Attack to Perform SSRF
Attackers can use an XXE attack to help in performing server-side request forgery (SSRF) as well. Here, the attacker commands the application to make requests to malicious URLs. The application helps the attacker to define an external entity with the target URL and then use it in the response’s data value.
Recommended: What is Cross Site Request Forgery (CSRF)? Example, Mitigation and Prevention
The attacker can now see the responses from the URL in the application’s response. The attacker can also perform a blind SSRG attack and cause damage to the system even without seeing the responses provided by the application.
Blind XXE Attack to Exfiltrate Data
In most XXE vulnerabilities, the application doesn’t return any values from external entities, which means they are blind. In this case, the attackers cannot directly get hold of server-side files.
Recommended: What is Blind XSS? How to Detect and Prevent Blind XSS Attacks & Vulnerabilities?
However, they can detect any blind XXE vulnerabilities with some advanced techniques, such as out-of-band data exfiltration. They can even trigger an XML parsing error to perform malicious tasks through the application.
Blind XXE Attack to Generate Error Messages
The hacker can trigger any XML parsing error and create any error message in blind XXE vulnerabilities. This generates an error message that is effective for any application that will respond with another error message to the hacker. The attacker can use a malicious external DTD and put any error message in the application. It will then give the hacker the contents of a password file.
Parameter Entity Injection
In this type of XXE, the attacker manipulates the parameter entities within the Document Type Definition (DTD) of an XML document.
With this technique, the attackers receive similar outcomes to the external entity injection by injecting malicious entities. This technique can be applied to reading files or executing code to extract sensitive data.
Entity Expansion
This type of XXE attack causes DoS conditions. With this technique, the attacker can produce many more nested entities in the XML document, and the XML parser consumes a large amount of memory because of that. It then leads to a denial of service (DoS) condition.
XXE via File Upload
Any attacker can upload malicious XML files that have XXE payloads in them if the application accepts and processes XML files without proper validation. In the processing of the file within the application, the payloads will trigger the XXE vulnerabilities in it.
XPath Injection
XPath is a query language, and it helps in extracting data from XML documents. In this type of XXE attack, the attacker puts malicious XPath queries into the XML document. These XPath queries allow hackers to extract sensitive data from the document.
XXE in SOAP Web Services
XML-based SOAP web services can also cause XXE attacks. While making a SOAP request, the attacker can inject malicious XML payloads into it. This malicious XML payload will attack the XXE vulnerabilities in the server-side XML processing logic.
How to Find and Test XXE Vulnerabilities?
Here are some steps that you can follow to find and test XXE vulnerabilities on an application.
Using Automated Tools
By using some reputed automated tools like SiteLock, you can detect any XML vulnerabilities by scanning the application.
Identifying the XML Parser
Figure out which XML parser the application has used and then determine the vulnerability. Because different XML parsers have different types of vulnerabilities.
Penetration Testing
This testing method is a very effective tool for detecting any XML vulnerabilities. Some of the test cases that you should consider in penetration testing are discussed below:
Submit a Test Payload
Give the application a test payload that has an external entity reference. If the application provides you with data as a response from the external entity, then the application is vulnerable to XXE attacks.
Submit a Malicious Payload
You can give a malicious payload that has an external entity in the application. Give a payload that is suitable for reading sensitive files or executing arbitrary code. If your application works according to the external entity, then it is prone to XXE attacks.
Check for Error Messages
As the XML parser is processing the payload, look for error messages. If the payload is processed without any errors, then the application is vulnerable to XXE attacks.
Test for Blind XXE
Blind XXE attacks use out-of-band techniques to read any sensitive data in the application. If you want to test blind XXE attacks, then give your application a payload with a URL or another external reference. Then, check if the application is trying to access the external resource. If it does, it might get attacked by Blind XXE.
Ongoing Vulnerability Testing
Testing for XXE attacks is a continuous task. The application might develop vulnerabilities as it evolves. So, it is recommended that you scan your applications through penetration testing every six months.
Best Practices to Prevent XXE Vulnerabilities
Here are some popular methods that you can use to prevent XXE attacks:
Manual XXE Prevention
You can stop vulnerabilities in the XML by configuring the XML parser to block custom DTDs. Applications usually don’t need DTDs, so blocking them won’t have any impact on your application. However, every parser in different programming languages has different settings for this. If your application uses multiple parsers, then you need to configure each of those parsers manually.
Disable DTD Support
The external DTDs are installed for trusted sources, but the attackers can exploit them easily using malicious sources. If you disable the external DTDs, then you might be able to get rid of XXE attacks. Disabling the entire DTD is not necessary, and you can disable the external entity functionality of the DTD.
Application Server Instrumentation
The application server instrumentation adds checkpoints to some specific code parts. Then, it monitors the execution flow of the code in real time. This instrumentation works as a security sensor inside the server. It gives the coder visibility into the application schema and data.
Using the runtime application self-protection (RASP) technique for personalized protection and interactive application security testing (IAST) to find vulnerabilities during execution would be a good idea.
Recommended: What Is Privilege Escalation? How to Detect and Prevent Privilege Escalation Attacks in Windows
As the XML parser is a part of third-party code in your application, you might miss some parsers. In that case, manual configuration seems risky. But with the instrumentation technique, you can automate XXE prevention.
The instrumentation will also help you monitor critical classes in XML processing, identify external DTD activity, and prevent external code execution. This method also limits the execution time of certain requests, which helps in minimizing DoS attacks.
FAQs
What is XML External Entity Injection?
The XML external entity injection, also known as XXE, is a web security vulnerability. It allows attackers to interfere with an application’s processing of XML data and extract sensitive information from it.
What is DTD in XXE?
The full name of DTD is Document Type Definition. Some XML files contain DTDs, and these DTDs allow the files to define and consume XML entities. It is also possible to detect external entities in XML by using URIs. The XML parser will process this URI and add the resulting content into an XML document.
What is an XML Entity?
XML entities are a way of representing data within an XML document. The entities only show the representation of the data and don’t use the data itself. The building of entities depends on the specification of the XML language.
What is an XML Injection attack?
XML Injection is an attack that manipulates and compromises the logic of an XML application or document. This injection happens when user-supplied input is not properly authenticated before being added to a web application’s XML documents.
What is the Risk of XML Injection?
One of the major risks of XML injection is the exposure of sensitive information. The hackers can manipulate the XML input to access and retrieve confidential data stored on the system. This data can include personally identifiable information (PII), financial records, or proprietary business data.
Trusted Code Signing Certificates
Prevent Code Tampering and Authenticate Code Integrity by Digitally Sign your Code with Trusted Code Signing Certificates.
Get Code Signing Certificate
