XXE or XML External Entity attack is a web application vulnerability that affects a website which parses unsafe XML that is driven by the user. XXE attack when performed successfully can disclose local files in the file system of the website. XXE is targeted to access these sensitive local files of the website that is vulnerable to unsafe parsing.
Types Of XXE Attacks
- File Retrieval XXE: As the name implies, arbitrary files on the application server of a victim company can be exposed to the attacker, if there is an XXE vulnerable endpoint in the target system. This can be carried out by passing an external XML entity in the user-controlled file.
- Blind XXE: It is possible that a target system doesn’t return data from the entities placed by the attacker still being insecure and vulnerable to XXE. This is done by trying out malformed user inputs. These include the input of length more than what the system expects, the wrong data type, special entities, etc. The intention is to make the system fail and check if throws out some sensitive information in the error response.
- XXE to SSRF: Even if the system doesn’t return the response with local file content to the attacker, the system can be still exploited in presence of an XXE attack. The entity can be pointed to a local IP of the target company which can be accessed only by its websites/network. Placing an intranet IP in XXE payload will make the target application call its local endpoint which the attacker won’t have access to otherwise. This type of attack is called SSRF or Server Side Request Forgery.
XML is one of the commonly used data exchange formats. Data can be transferred between User and Website in XML format. Consider a website that accepts User information in form of XML. The XML that is submitted to the website looks like follows,
The website accepts this XML, parses this obtains the Name, Age, and Occupation of records in Input XML, and returns a response of processed names in return.
XML consists of a concept of entities to refer to a single object in an XML document. An entity can be defined in an XML and can be reused multiple times across the website. For example,
test is described as an Entity in an XML document and it can be reused anywhere. It is also possible to lookup an External Entity that refers to some third-party website.
Code To Parse XML Documents
There are multiple XML parsing libraries that parse XML Document and return a Queryable Object. Typically, In Java, XML is parsed as follows,
Carrying Out XXE Attack
Consider the input XML is used controlled. The input is not validated and directly passed to the XML parser. The user may try to upload the following XML file,
When the XML parser parses the XML input it resolves the entity named ‘xxe’ by its definition. From input, the XML entity is defined as System resource “file://etc/passwd” which is a sensitive local file on the website’s application server. The parsed XML replaces the entity with the content of this sensitive local file and may send it back to the user. This is called an XML entity attack.
Protection Against XXE Attacks
The website should protect itself from XXE by disabling entities in user-generated XML content before parsing them. Failing which, the website becomes vulnerable to XXE attack and hence may disclose highly sensitive private information to the attacker. There are multiple ways to disable this based on the application stack and library used to parse the XML source file.
Almost all major XML parsers provide a way to disable XML external entities in the XML parser itself. For the above XML parsing example, the safe version of code looks like follows:
Another common vulnerability associated with XML parsing is called A Billion Laughs Attack. It uses an entity to resolve itself cyclically thereby consuming more CPU usage and causing a denial of service attack. An Example XML payload that can cause an XXE attack is as follows:
The entity keeps getting resolved to itself cyclically thereby slowing down requests and causing a DOS attack on the application. A billion laughs attack can be disabling DOCTYPE as in the above code snippet completely or setting a maximum limit on the evaluation of entities.
Impact Of XXE And A Billion Laughs Attacks
- XXE can cause information leakage, it can leak system files that have critical data.
- Data obtained from XXE can be used to target websites for additional vulnerabilities.
- A billion Laughs can cause service outage or a Denial Of Service attack.