XML external entity injection or XXE, is a type of web security vulnerability and an application-layer cybersecurity attack. This vulnerability allows the hacker to interfere with an application while it is processing XML data.
The attacker can inject unsafe XML entities into the application and can interact with systems to which the application has access. The hackers can also view files on the server and even perform remote code execution (RCE).
Outdated or not adequately configured XML parsers cause XXE vulnerabilities. The attacker can exploit the underlying server or other back-end infrastructure through the XXE attack. They can also use the XXE vulnerability to make server-side request forgery (SSRF) attacks as well. XXE vulnerabilities can also cause local file inclusion (LFI), directory traversal, network port scanning, and denial of service (DoS).
Impact of XXE Attacks
The XXE attacks impact both the application and other systems connected to it. Let's get to know in detail the impacts of XXE attacks:
Directory Traversa
The hackers can also perform directory traversal and get access to sensitive paths on the local server. This threat may expose configuration files, user data, and other important information to the hacker.
Password Retrieval
Hackers can retrieve sensitive data like passwords from the vulnerable application. This may cause unauthorized access to user accounts and further exploit them.
Denial of Service (DoS)
The attacker can access a large number of resources or open too many threads on the local server to perform a denial of service (DoS). The DoS will make the server unresponsive and will disrupt the service for actual users.
Access to Connected Systems
The hackers can gain access to other connected systems with the application through the attack. This impact will compromise the entire network and will cause widespread data breaches.
Remote Code Execution
In some cases, if the XML processor library is vulnerable to client-side memory corruption issues, then hackers can also perform remote code execution through the application.
Port Scanning and SSRF
In connected systems, the attacker can perform port scanning or server-side request forgery (SSRF) attacks. This attack will reveal open ports and will help the attacker in exploiting internal services.
Types of XXE Attacks
Now, let us discuss the types of XML external entity attacks.
XXE Attack to Perform SSRF
Attackers can use an XXE attack to help in performing server-side request forgery (SSRF) as well. Here, the attacker commands the application to make requests to malicious URLs. The application helps the attacker to define an external entity with the target URL and then use it in the response's data value.
The attacker can now see the responses from the URL in the application's response. The attacker can also perform a blind SSRG attack and cause damage to the system even without seeing the responses provided by the application.
XXE Attack to Retrieve Files
In an XXE attack, the attacker modifies the submitted XML of an application to retrieve any arbitrary file from the server's filesystem. The attacker creates a DOCTYPE element and introduces it to the application as an external entity. This entity has the path to the file in it. Then, the attacker reaches the file and edits the XML data value.
Parameter Entity Injection
In this type of XXE, the attacker manipulates the parameter entities within the Document Type Definition (DTD) of an XML document.
With this technique, the attackers receive similar outcomes to the external entity injection by injecting malicious entities. This technique can be applied to reading files or executing code to extract sensitive data.
Blind XXE Attack to Exfiltrate Data
In most XXE vulnerabilities, the application doesn't return any values from external entities, which means they are blind. In this case, the attackers cannot directly get hold of server-side files.
However, they can detect any blind XXE vulnerabilities with some advanced techniques, such as out-of-band data exfiltration. They can even trigger an XML parsing error to perform malicious tasks through the application.
Blind XXE Attack to Generate Error Messages
The hacker can trigger any XML parsing error and create any error message in blind XXE vulnerabilities. This generates an error message that is effective for any application that will respond with another error message to the hacker. The attacker can use a malicious external DTD and put any error message in the application. It will then give the hacker the contents of a password file.
Top comments (0)