Analysis on XXE Injection from scratch

Roberto Vinciguerra

Cyber Security Sr. Specialist | Penetration Tester

Published Sep 8, 2020

I am honest in saying that the analysis on Web Applications are not my workhorse and the opportunities, for Assessment and Penetration Test on them, have not been many: I just have to resume my study and training, trying to share it with colleagues and hypothetical blog readers; so I start from the top 10 of OWASP in terms of criticality and, in 4th place, I find out the XXE (XML External Entity) injection; it is evident that many sites in circulation today are therefore affected by this problem and that it is necessary to deepen its nature from a code analysis point of view.

XML is a double-edged sword, as versatile as JSON but which requires a lot of attention when writing code: what allows you to create an XXE Injection is divided into 2 parts:

- create an internal or external DTD to XML Document (Document Type Definition), which defines the structure and the correct syntax of the elements that make up the XML document itself;

- define an Entity, in the DTD (which you can think of as a variable to which you can attribute whatever you want and which may be external to the URL you are on), that the XML parser will process and for which it will provide the corresponding output.

The code is worth a thousand words; in this php script, I pass the "HackHappy" and "password" credentials, by POST method, to the "login.php" file.

Now instead I show you the modified version, take a good look at the difference:

- the definition by "! DOCTYPE" of my DTD, in this case trivial, made internal to the XML code;

- the definition in the DTD of the Entity "own", whose attribute is "file: /// etc / passwd", something that is certainly external to the URL you are messing with like a thug.

Obviously the result is the following.

Who is the culprit of all this? As often happens the flaws, for which any form of code injection is possible, are due to lightness in writing the code and the lack of "sanitization" of certain variables. In this specific case, the "login.php" file that receives and processes the "user" and "pass" from the previous php script, shows, set to "false", the value of "libxml_disable_entity_loader", thus allowing the XML parser to being able to process any type of external Entity that is defined in a properly constructed DTD.

To view or add a comment, sign in

Analysis on XXE Injection from scratch

Roberto Vinciguerra

Cyber Security Sr. Specialist | Penetration Tester

More articles by Roberto Vinciguerra

Insights from the community

Others also viewed

Using JavaScript and window.postMessage() for Safe Cross-Domain Communication

Ever heard of Regular Expressions?

Axios vs. Fetch?

# Algebric Datatypes in Javascript ( Sorry I usually write all my notes in MarkDown .MD format)

HTML5 and JS - Web storage and cookies

SSJS : Day 13 focused Resource

JSON vs XML

Converting XML to JSON using Recursion

Scheduled scripts executing with CRON and created web page with parsed data. Part 10 of 11.

"Mastering the SPL Library" book review

Explore topics

More articles by Roberto Vinciguerra

Making Report

Token Manipulation in Active Directory

Tecnica di Pivoting: come si propaga un'infezione in una Infrastruttura bersaglio

Analisi su LDAP Injection

Perchè il "Key Reinstallation Attack" è così devastante per il WIFI.

Bucare il Wifi con l'attacco "polvere di fata"

Cyberterrorism - Definition, Analysis and Countermeasures

Rubare le tue credenziali con attacchi MITM

Intercettazioni sui cellulari