XXE exploit

XML: The extensible markup language, or XML, is a template for storing and  transporting data. It has a tree-like structure of tags and files, identical to HTML,  except there are no predefined tags in XML, such as h1, img, div, and so on; tags  are custom named for the data they reflect. Extensible Markup Language (XML) is  a widely used data format. It can be used in everything from web services (XML RPC, SOAP, REST) to documents (XML, HTML, DOCX) to image files (XML, HTML,  DOCX) (SVG, EXIF data). 

DTD: It includes declarations that can specify the configuration of an XML  document, as well as the kinds of data values it can hold. The DTD can either be  fully self-contained within the XML document (known as internal DTD) or it can be  loaded from a separate location (known as external DTD). The DTD is declared at  the start of the XML document in the DOCTYPE element. 

XML Entities: Instead of using the data itself, XML entities are a way of describing  a piece of data within an XML document. The XML language specification includes  a number of individuals. The entities < and >, for example, represent the  characters and >. These are metacharacters that are used to describe XML  identifiers, and they must be interpreted in data using their entities. 

XML Custom Entities: Custom entities are similar to custom variables in the sense  that they can be generated within the DTD. !DOCTYPE foo [!ENTITY myentity “my  entity value” > ]>, for example. Any references to the entity &myentity; will be  replaced with the data “my entitiy value” in this case. Knowing that we can  generate custom entities, we can then create one using predefined data from the  server of an application.

XML External Entities: External XML entities are a kind of custom entity that has its  meaning outside of the DTD in which it is declared. The SYSTEM keyword is used to  declare an external object, and it must define a URL from which the entity’s value  can be loaded. External organizations have a way to divide the text into logical  parts. Instead of authoring a single text, such as a book with ten chapters, you can  split each chapter into its own file and use external organizations to “source in” the  ten chapters. External organizations have an incentive for reuse and they will link  to the same files on your file server in separate documents. It’s relatively simple to  reuse thin, discrete components (figures, legal boilerplate, alarm messages). Reuse  on a wide scale necessitates the use of an object management scheme, which XML  does not have for itself. 

XML External Entity Injection: A web security flaw known as XML external object  injection (also known as XXE) allows an attacker to mess with an application’s  processing of XML data. An intruder will often view files on the application server  filesystem and communicate with any back-end or external applications that the  application can reach. XXE injection attacks target web applications that handle  XML inputs and take advantage of support for XML external entities. Attackers can  use specially designed DOCTYPE descriptions in XML files to carry out attacks such  as denial of service, server-side request forgery (SSRF), and even remote code  execution. XML entities can be used for a lot more than just lowering application  availability. This is due to the fact that XML entities do not need to be described in  the XML text. In reality, XML entities may originate from a variety of places,  including external sources (hence the name XML External Entity). 

XXE Attack Vectors: Though it has possibilities to carried out various vulnerabilities  as per the attack vectors but I am sharing few of the examples here which help to  understand “How to play with Entities to carried out any attack”. 

• XXE Injection to access files. 

• XXE Injection to SSRF. 

• XXE Injection to Malicious File Upload.

XXE Injection to access files: You must change the submitted XML in two ways to  execute a XXE injection that retrieves an arbitrary file from the server’s filesystem:  Create (or edit) a DOCTYPE variable that specifies an external object that contains  the file’s path. To use the specified external object, edit a data value in the XML  that is returned in the application’s response. 

XXE Injection to SSRF: To execute an SSRF attack using a XXE vulnerability, you must  first identify an external XML entity using the URL you want to hit, and then use the  specified entity within a data value. You would be able to see the response from  the URL within the application’s response if you can use the given entity within a  data value that is returned in the application’s response, and thereby obtain two way access with the back-end method. If you don’t, you’ll just be able to carry out  blind SSRF assaults. 

XXE Injection to Malicious File Upload: Users will upload files to be stored on the  server in certain programmes. Any popular file formats, such as office document  formats like DOCX and image formats like SVG, use or include XML subcomponents.  And if an application expects JPEG or PNG file formats, it can must accept and 

process SVG files. Since SVG files are made up of XML, they can be used as another  vector for a XXE injection. 

Mitigation: Document Form Definitions are the oldest type of document  specification, dating back to SGML, and are used in XML external entity attacks. As  a result, removing DTD support is the most effective way to eliminate XXE  vulnerabilities. If it isn’t possible, you can disable only the external entity support – in PHP, this is achieved by setting libxml disable entity loader to false (true).