XML: The extensible markup language, or XML, is a template for storing and transporting data. It has a tree-like structure of tags and files, identical to HTML, except there are no predefined tags in XML, such as h1, img, div, and so on; tags are custom named for the data they reflect. Extensible Markup Language (XML) is a widely used data format. It can be used in everything from web services (XML RPC, SOAP, REST) to documents (XML, HTML, DOCX) to image files (XML, HTML, DOCX) (SVG, EXIF data).
DTD: It includes declarations that can specify the configuration of an XML document, as well as the kinds of data values it can hold. The DTD can either be fully self-contained within the XML document (known as internal DTD) or it can be loaded from a separate location (known as external DTD). The DTD is declared at the start of the XML document in the DOCTYPE element.
XML Entities: Instead of using the data itself, XML entities are a way of describing a piece of data within an XML document. The XML language specification includes a number of individuals. The entities < and >, for example, represent the characters and >. These are metacharacters that are used to describe XML identifiers, and they must be interpreted in data using their entities.
XML Custom Entities: Custom entities are similar to custom variables in the sense that they can be generated within the DTD. !DOCTYPE foo [!ENTITY myentity “my entity value” > ]>, for example. Any references to the entity &myentity; will be replaced with the data “my entitiy value” in this case. Knowing that we can generate custom entities, we can then create one using predefined data from the server of an application.
XML External Entities: External XML entities are a kind of custom entity that has its meaning outside of the DTD in which it is declared. The SYSTEM keyword is used to declare an external object, and it must define a URL from which the entity’s value can be loaded. External organizations have a way to divide the text into logical parts. Instead of authoring a single text, such as a book with ten chapters, you can split each chapter into its own file and use external organizations to “source in” the ten chapters. External organizations have an incentive for reuse and they will link to the same files on your file server in separate documents. It’s relatively simple to reuse thin, discrete components (figures, legal boilerplate, alarm messages). Reuse on a wide scale necessitates the use of an object management scheme, which XML does not have for itself.
XML External Entity Injection: A web security flaw known as XML external object injection (also known as XXE) allows an attacker to mess with an application’s processing of XML data. An intruder will often view files on the application server filesystem and communicate with any back-end or external applications that the application can reach. XXE injection attacks target web applications that handle XML inputs and take advantage of support for XML external entities. Attackers can use specially designed DOCTYPE descriptions in XML files to carry out attacks such as denial of service, server-side request forgery (SSRF), and even remote code execution. XML entities can be used for a lot more than just lowering application availability. This is due to the fact that XML entities do not need to be described in the XML text. In reality, XML entities may originate from a variety of places, including external sources (hence the name XML External Entity).
XXE Attack Vectors: Though it has possibilities to carried out various vulnerabilities as per the attack vectors but I am sharing few of the examples here which help to understand “How to play with Entities to carried out any attack”.
• XXE Injection to access files.
• XXE Injection to SSRF.
• XXE Injection to Malicious File Upload.
XXE Injection to access files: You must change the submitted XML in two ways to execute a XXE injection that retrieves an arbitrary file from the server’s filesystem: Create (or edit) a DOCTYPE variable that specifies an external object that contains the file’s path. To use the specified external object, edit a data value in the XML that is returned in the application’s response.
XXE Injection to SSRF: To execute an SSRF attack using a XXE vulnerability, you must first identify an external XML entity using the URL you want to hit, and then use the specified entity within a data value. You would be able to see the response from the URL within the application’s response if you can use the given entity within a data value that is returned in the application’s response, and thereby obtain two way access with the back-end method. If you don’t, you’ll just be able to carry out blind SSRF assaults.
XXE Injection to Malicious File Upload: Users will upload files to be stored on the server in certain programmes. Any popular file formats, such as office document formats like DOCX and image formats like SVG, use or include XML subcomponents. And if an application expects JPEG or PNG file formats, it can must accept and
process SVG files. Since SVG files are made up of XML, they can be used as another vector for a XXE injection.
Mitigation: Document Form Definitions are the oldest type of document specification, dating back to SGML, and are used in XML external entity attacks. As a result, removing DTD support is the most effective way to eliminate XXE vulnerabilities. If it isn’t possible, you can disable only the external entity support – in PHP, this is achieved by setting libxml disable entity loader to false (true).
Get In Touch
How Can We Help ?
We make your product happen. Our dynamic, robust and scalable solutions help you drive value at the greatest speed in the market