XML external entity (XXE) injection
https://app.beeceptor.com/
Identifying
Identify XML User Input: Look for web pages or forms that accept XML input from users. This can include forms that submit data in XML format to the server.
Inspect Input Filtering and Sanitization: Check if the application applies proper input filtering or sanitization to XML input. Lack of filtering or sanitization increases the risk of XXE vulnerabilities.
Observe Response Handling: Pay attention to how the application handles user input in the response. If the application reflects XML elements back to the user without encoding, it may be vulnerable to XXE.
Analyze DTD Declaration: Determine if the XML input includes a Document Type Definition (DTD) declaration. If present, it may allow for entity declaration and expansion, leading to XXE.
Add Custom Entity: Inject a custom entity into the XML input to test for XXE. This can be done by adding a DTD declaration and defining a new entity within it.
Test Entity Replacement: Verify if the application replaces the custom entity with its defined value in the response. If the value of the entity is reflected back, it indicates potential XXE vulnerability.
Check Content-Type: Even if the application primarily uses JSON format, try changing the Content-Type header to application/XML. Some applications may accept XML data even if they primarily handle JSON.
Convert JSON to XML: If necessary, convert JSON data to XML format using online tools. Submit the XML data to the application and test for XXE vulnerabilities as described above.
Error Based XXE
Read File
Blind Data Exfiltration
PHP Filter
Code Execution
PHP Wrapper expect://ls
to execute
The expect module is not enabled/installed on modern PHP servers by default, so this attack may not always work.
SSRF Attack
CDATA with XXE and SSRF
File Upload
OUT-OF_BAND (OOB)
in Server
Automated OOB Exfiltration
How to Find XEE
● XML file upload (e.g config files)
● XML input fields
● XML based APIs
● XML based files (RSS, SVG)
how to bypass if filters " ENTITY " word
Case1: Manipulation (Uppercase/Lowercase)
Case2: Encoding
HTML encoding:
Hexadecimal enconding
Whitespace Bypasses (Extra Spaces or Newlines) Or using Comment
CDATA
How TO Test XXE Methodology
Find XXE Data Entry Point
Change the XML object to anything.
Try to declare a reference entity or parameter entity.
<!DOCTYPE hacktor [ <!ENTITY xxe SYSTEM "Hello">]>
test Blind get server and add reference
if now XML format test Xinclude
Mitigation and Prevention
Avoiding Outdated Components
Using Safe XML Configurations
Disable referencing custom
Document Type Definitions (DTDs)
Disable referencing
External XML Entities
Disable
Parameter Entity
processing =>Disable support for
XInclude
Prevent
Entity Reference Loops
Last updated