Skip to content

XXE Injection

XML External Entity (XXE) vulnerabilities occur when an XML parser improperly processes user-supplied input, allowing attackers to exploit external entity references. These vulnerabilities can lead to data exfiltration, denial of service (DoS), and even remote code execution. This guide provides an in-depth understanding of XXE attacks, how to exploit them, and best practices for mitigation.

How XXE Attacks Work

XXE vulnerabilities arise due to the misuse of XML Document Type Definitions (DTDs) and external entity processing. Attackers can inject malicious entities into XML payloads, causing the application to fetch remote resources, access local files, or perform unintended network requests.

Exploitation Techniques

  1. Basic Data Exfiltration: Attackers craft an XML payload with an external entity referencing a local file.
  2. Blind XXE: When no direct output is available, attackers use error messages or timing-based techniques to infer file contents.
  3. Out-of-Band XXE (OOB-XXE): Uses an external server to receive exfiltrated data, bypassing security measures.
  4. XXE + SSRF (Server-Side Request Forgery): Attackers exploit XXE to force the server into making unauthorized network requests.

Example Malicious XML Payload:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<foo>&xxe;</foo>

If processed by a vulnerable XML parser, this request would return the contents of /etc/passwd.

Avoiding Misconfigurations

Misconfigurations in XML parser settings are a primary cause of XXE vulnerabilities. Properly adjusting these settings can mitigate risks significantly.

General Best Practices

  • Disable External Entities and DTDs: Most XXE vulnerabilities arise from external DTD processing.
  • Use Less Complex Data Formats: JSON and other data formats do not support external entities, reducing attack vectors.
  • Allow listing Input Validation: Validate XML against a strict schema and sanitize special characters such as <, >, &, ', and ".

Java

Disable external entities in DocumentBuilderFactory:

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);
DocumentBuilder db = dbf.newDocumentBuilder();

.NET

Configure XmlReaderSettings to prevent DTD processing:

XmlReaderSettings settings = new XmlReaderSettings();
settings.DtdProcessing = DtdProcessing.Prohibit;
settings.XmlResolver = null;
XmlReader reader = XmlReader.Create(stream, settings);

PHP

Disable external entity loading:

libxml_disable_entity_loader(true);

Python

Use defusedxml, a secure XML library:

from defusedxml.ElementTree import parse
et = parse(xml_input)

Regularly Update and Patch

  • Software Updates: Keep XML processors and libraries up-to-date to receive security patches.
  • Security Patches: Apply updates to web applications and their environments regularly.

Security Awareness and Code Reviews

  • Conduct Code Reviews: Regularly review XML-handling code for vulnerabilities.
  • Promote Security Training: Educate developers on secure coding practices to mitigate XML-related risks.