Introduction to XXE Attacks
Before jumping into XXE attacks, you should know about XML (Extensible Markup Language). People use XML, a popular language for formatting data, for various purposes, ranging from web services (XML-RPC, SOAP, REST) to documents (XML, HTML, DOCX) to image files (SVG, EXIF data). To interpret XML data, an application needs an XML parser, which we can also call an XML processor. XML is used to store and access data. You can create tags in XML as per your needs. In this article we will also solve our first lab XML external entity injection XXE injection.
XML Entities
XML entities are used to represent data in XML documents. If you have learned how to declare variables in programming, the same process is used here, but instead of variables, XML entities are used.
This will be a series of articles about XXE injection, in which we will cover PortSwigger’s 9 labs.
XML external entity (XXE) injection
- Exploiting XXE using external entities to retrieve files
- Exploiting XXE to perform SSRF attacks
- Blind XXE with out-of-band interaction
- Blind XXE with out-of-band interaction via XML parameter entities
- Exploiting blind XXE to exfiltrate data using a malicious external DTD
- Exploiting blind XXE to retrieve data via error messages
- Exploiting XInclude to retrieve files
- Exploiting XXE via image file upload
- Exploiting XXE to retrieve data by repurposing a local DTD
Exploiting XML External Entity using external entities to retrieve files
This is our first article in this series in which we are solving the XML external entity injection or XXE injection lab.
Lab Description
In the screenshot above, you can see that this is our first lab. In this lab, the “check stock” feature parses the XML input and returns an unexpected value response. To solve this lab, we need to inject an XML external entity to receive the data. Basically, in this lab, we need to access the /etc/password file.
Lab solution
Firstly, access the lab that you want to solve. Then, intercept the stock check feature in Burpsuite. After intercepting, send it to the repeater.
As you can see, this is a post-based request, and it is showing up in the repeater in the above screenshot.
In the lab, we need to insert an external entity definition between the XML declaration and the stockCheck feature in order to solve the lab.
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
As you can see, we have successfully accessed the internal file /etc/passwd through the external entity.
Now, let’s check in the browser to see if we have solved the lab or not. This lab is quite easy and I have tried to teach you in a simple and short way.
As you can see, we have successfully solved the XML external entity injection or XXE injection lab.