What is an XXE Attack?

Introduction

XXE (XML External Entity attack) is now increasingly being found and reported in major web applications such as Facebook, PayPal, etc. For instance, a quick look at the recent Bug Bounty vulnerabilities on these sites confirms this. Although XXE has been around for many years, it never really got as much attention as it deserved. Most XML parsers are vulnerable to it by default, which means it is the responsibility of a developer to make sure that the application is free from this vulnerability. In this article we will explore what XML external entities are and how they can be attacked.

What are XML external entities?

For someone who is not aware of XML, you can think of it as something that is used to describe data. Thus, two systems which are running on different technologies can communicate and exchange data with one another using XML. For example, below is a sample XML document which describes an employee. The ‘name’ ‘salary’ and ‘address’ are called XML elements.

Now these XML documents can contain something called ‘entities’ defined using a system identifier and are present within a DOCTYPE header. These entities can access local or remote content. For example, below is a sample XML document that contains XML entities.

In the above code, the external entity ‘entityex’ is declared with the value file:///etc/passwd. During XML parsing, this entity will be replaced with the respective value. The use of keyword ‘SYSTEM’ instructs the parser that the entity value should be read from the URI that follows. Thus, when the entity value is used many times, this would seem very helpful.

What is an XXE attack?

With XML entities, the ‘SYSTEM’ keyword causes an XML parser to read data from a URI and permits it to be substituted in the document. Thus, (Read more...)