XML External Entity Injection (XXE)

An XML external entity vulnerability is a class of attacks that target applications that handle XML input. Extensible Markup Language (XML) is a markup language that defines rules for the encoding of documents. The XML format is both human-readable and machine-readable. XML is defined by standards and specifications such as the World Wide Web Consortium’s (W3C) initial 1.0 specification in 1998 followed subsequently by the 1.1 specification in 2006. 

A Document Type Definition (DTD) primarily describes the tree structure of a document and information about the data it contains. DTDs include markup affirmations that define a type of document for the Standard Generalized Markup Language (SGML) family including GML, SGML, HTML, and XML. SGML  is a standard for how to specify a document markup language. SGML specifications are themselves a document type definition (DTD). SGML is not in itself a document language, but a description of how one should be specified.

XML is a widely used data format relied upon for web services (SOAP, REST), documents (XML, HTML, DOCX), images and more. Applications must have an XML parser (or perhaps an XML processor)to interpret the XML data. When the XML parser interprets a malicious payload as standard XML data,  which can end up accessing or extracting sensitive data on the server.

The attack chain begins when an XML input that contains a reference to an external entity is processed by a poorly configured XML parsing engine. Immediate challenges can include the breach of data, server-side request forgery, denial of service, and more. 

Attacks can include the exfiltration and disclosure of locally stored files – the goal of the threat actor is to get passwords, intellectual property, sensitive information. The attack vector through trusted applications further enables the threat actor to use these trusted applications as a pivot point to other targeted systems. 

XXE Attack Variations

There are many types of XXE attacks to include exploiting:

• XXE to exfiltrate files. This is where an external entity is defined as containing the contents of a file which is returned in the response by the application. In order to utilize XXE to exfiltrate files from the server’s filesystem, XML which is submitted can be modified to introduce or edit a DOCTYPE element that specifies and external entity which contains a path to the file. Alternatively you can edit data in the XML that is returned in the application’s response, such that it makes use of the defined external entity.
• Blind XXE to exfiltrate data “out-of-band”. This is where sensitive data may be transmitted to the system that the threat actor controls by the application server. Many types of XXE vulnerabilities are blind. Blind means that the application does not return the values of any defined external entities within responses. Direct retrieval of server-side files is therefore not possible. Blind XXE vulnerabilities can be detected and exploited, but more advanced techniques and greater levels of skill are required. Out-of-band techniques can be used to find vulnerabilities and exploit them to exfiltrate data. Triggering XML parsing errors can lead to disclosure of sensitive data within error messages.
• Blind XXE to retrieve data via the use of error messages. This is where the threat actor can trigger parsing error messages which contain sensitive data.
• XXE to perform server-side request forgery (SSRF) attacks. This is where an external entity is defined by a URL to a back-end system. This vulnerability results in the server-side application making HTTP requests to any URL that the server can access. To exploit an XXE vulnerability to perform this attack, you need to define an external XML entity using the target URL. Then you can use the defined entity within a data value. If the defined entity within a data value that is returned in the application’s response, then the response from the URL within the response can be viewed, and thereby two-way interaction with the back-end system is achieved.

Prevention of XXE Attacks

Ideally, the XML processor must be configured to use DTD that is locally defined. The XML processor should disallow any inline DTD that may be submitted or specified in user XML documents. 

There are many XML engines available for different programming languages. Each of these XML engines has a mechanism for disabling inline DTD to, in turn, prevent XXE. 

As noted earlier XXE vulnerabilities exist because the application’s XML parsing library supports potentially dangerous XML features. These features are often nor required by the application. If you disable those features you eliminate the possibility of and XXE attack. It is also effective to disable resolution of external entities and also to disable support for XInclude. You can make these via configuration options or by programmatically overriding default behavior.