Questions tagged [xxe]

XXE, or XML External Entity, is part of the XML spec that can introduce a vulnerability in poorly crafted XML parsers.

The XML specification allows an XML file to refer to entities that are not part of the XML file itself. More specific, an XML file may contain an external general parsed entity. An XML parser can try to open and parse that external entity.

To use this vulnerability, the attacker creates an XML file that refers to the entity they're interested in - for example, the /etc/passwd file:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [  
 <!ELEMENT foo ANY >
 <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>

The parser is instructed to parse this external file, and process it - possibly exposing its contents, or part thereof, to the attacker. A creative attacker could also use this for other purposes, e.g. using the parser to scan ports.

Source:

OWASP Page on XXE Processing

37 questions
12
votes
1 answer

Is PHP loadXML vulnerable to XXE attack (and to other attacks)? Is there a list of vulnerable functions?

I have PHP code that uses the loadXML function (as well as other XML functions). Is the loadXML function vulnerable to XXE attack? Namely, if the XML contains external entities, will they be interpreted? Is this function vulnerable to other XML…
Gari BN
  • 485
  • 1
  • 6
  • 14
8
votes
1 answer

Is .NET XmlSerializer.Deserialize(TextReader) safe?

Is the .NET method XmlSerializer.Deserialize(TextReader) safe from XML vulnerabilities (XXE, XmlBomb etc..)? Will the DTD be processed during deserialization? I can understand why XmlSerializer.Deserialize(XmlTextReader) can be unsafe if…
Nagarjuna Borra
  • 315
  • 2
  • 7
5
votes
1 answer

XXE OOB Large File Extraction

Most of examples for extracting files through XXE OOB (Out of Band) sets up a listening HTTP server and listens to incoming request on the URL requested. However, since the URL length is limited to something like 2048, how would you extract larger…
Ravan87
  • 51
  • 1
5
votes
0 answers

Can XXE be exploited when disallow-doctype-decl is set to true (Apache)?

I found out that an endpoint of a website may be vulnerable to XXE. It is using Unmarshal as an XML parser. When I try to send a post request using common XXE payloads, I receive the following response from the…
4
votes
1 answer

Approach for testing XXE injection

I have been discussing xxe injection in my web application,My web application allows expansion of user-supplied XML entities What i did: Intercepted traffic using Burp. Changed the request with Accept: text/xml Inject the XML in cookie and check the…
BlueBerry - Vignesh4303
  • 5,107
  • 13
  • 34
  • 63
3
votes
1 answer

Can an XXE (XML External Entity) attack be carried out from within an SVG file?

Since SVG is built heavily if not entirely on XML, can one of the attacks that can be carried out through XML such as XXE injection be carried out from an SVG file?
Amirius
  • 33
  • 4
2
votes
1 answer

What are steps to defend against XML External Entity (XXE) Processing vulnerability?

Lately I've seen so many attacks of this type, so I wanted to ask what is the proper way to defend against XML External Entity (XXE) Processing vulnerability. For example what if I parse some simple xml in my app, how can I make it stronger so this…
Daniel
  • 1,422
  • 3
  • 21
  • 32
2
votes
1 answer

PHP Blind XXE Exploitation: Invalid URI in Entity

When attempting to exploit blind XXE as explained in this article, I got an error in my apache logs: PHP Warning: DOMDocument::loadXML(): Invalid URI: http://192.168.6.1/82a3ccab632c in Entity The DTD file:
user3207874
  • 225
  • 2
  • 11
2
votes
1 answer

XML External Entity injection within the body of a document

If you Google for an example of XXE injection you get something like this: ]>&xxe; where the attack is…
XCore
  • 244
  • 1
  • 8
2
votes
0 answers

What's the use of an "extra" dynamic declaration in an external DTD blind XXE attack?

I've been studying XXE attacks through portswigger blog. I don't understand the extra step of a dynamic declaration (i.e.
Shuzheng
  • 1,097
  • 4
  • 22
  • 37
2
votes
0 answers

ASP.NET SOAP Service XXE

Is it possible to do any type of XXE in a service developed using default C# SOAP service framework? I ask because any type of XXE payload I try to add, even XML header, whatever I add before SOAP envelope, I get 400 bad request back from…
Maz Ra
  • 21
  • 1
2
votes
1 answer

Why isn't XXE part of Injection in the OWASP Top 10?

I'm trying to explain to myself why XXE doesn't fall under the Injection category, as it is a form of XML injection. XML External Entity is an attack that manipulates the XML parser/interpreter, to achieve information disclosure of some data (i.e.,…
NLuburić
  • 294
  • 2
  • 9
2
votes
1 answer

Any vulnerabilities from shorting browser's XML parser?

I have found a way of forcing a site to return content-type XML to the user's browser even though the content is HTML. The browser then interprets this site as XML and throws an error since the HTML contains Javascript that doesn't decode to valid…
iso123
  • 95
  • 5
2
votes
1 answer

XML external entity - Local file enumeration (Impact assessment question)

I had come across an XML request-response pair while testing a web application and attempted to inject XXE payloads. Note that in this case no XML parameter sent in the request was getting reflected in the response. However as the request and…
Shurmajee
  • 7,285
  • 5
  • 27
  • 59
1
vote
2 answers

Java XXE vulnerability

If I am already using xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false); then do I also need to use xmlInputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", false); to fix an XXE vulnerability?
Rupesh Pal
  • 11
  • 1
1
2 3