Q. What is XML?
⇒ It’s an Extensible Markup Language which was designed to store and transport data. It defined a set of rules for encoding documents in a format that is both human-readable and machine-readable.
Q. What is XML External Entity?
⇒ XML External Entity are a type of custom entity whose definition is located outside the DTD(Document Type Definition) where they are declared. It uses
SYSTEM keyword for declaration of External Entity.
<!DOCTYPE foo [ <!ENTITY ext SYSTEM "http://normal-website.com OR file:///path/to/file" > ]>
Explaining the above flyer made by @sec_r0 ⇒
Where is the Problem?:- Here the Server is exposing the API that expects XML request data and client sends XML that has external entity. Then the server processes this input by the client through a weakly configured XML parser. The response received by the client may contain data from external entities.
XML:- As written in flyer, It’s a markup language for unstructured textual data. Root tag contains all other tag. All tags in xml are container tag which means if a tag is opened, it also must be having a closing tag.
Entity:- XML entities are a way of representing an item of data within an XML document, instead of using the data itself. In the flyer you can see that in second line we declared an Entity named
attack and put it’s value as
&attack is a entity reference which means it holds a data. Parser will replace the value of this entity on runtime.
External Entity:- Here you can see we are declaring an External entity with
SYSTEM keyword with a value which we named as
URL. Then we simply called the entity which we named as
attack and stored our external entity in it which will expand on runtime. Now This
URL can be either
http:// protocol due to which external data is responded into XML.
We would like to break this attack into sub-steps for you to get a more clear view of the whole attack:-
Step1 ⇒ Attacker once finds the endpoint for XXE attack, He/she then creates a XML payload with xml external entity and stores the
file:///etc/passwd into the entity called
attack and then called it with
/etc/passwd file content will be shown at the place of
&attack. Finally attacker sends this payload to the Server.
Step2 ⇒ At final, The server processes the xml payload with weakly configured XML parser and responds to the attacker with the content of
Wait Let me end this in a Most satisfying hacker manner:-
Do you want the HD version of this flyer to download for free ? Why don’t you consider going to SecurityZines to Download the original and clear Flyer version of XXE explained above? Link below.
⇒ SecurityZines XXE - XML External Entity Attack attack Flyer