XML External Entity (XXE) Vulnerabilities

The XML standard defines a concept of an external general parsed entity (also shortened to external entity) that can access local or remote content via a declared system identifier. During XML parsing, the XML processor will replace such entities with the content referenced by them.

For example, here is an XML that contains an external entity.

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE acunetix [
  <!ENTITY acunetixent SYSTEM "file:///etc/passwd">

The following XML makes reference to the acunetixent external entity and this entity should be replaced with the content of the local file /etc/passwd.

As you can see from this example, if enabled, external entities can pose a very big security risk because an attacker can access local files. The risk however, is not limited to accessing local files. External entities can be defined to access various hosts from the internal network or from the internet. XML External Entity is a subset of Server Side Request Forgery (SSRF) attacks and includes all the risks associated with these attacks.

XML External Entities can also be used to perform denial-of-service (DoS) attacks such as the popular Billion Laughs.

<?xml version="1.0"?>
<!DOCTYPE lolz [
 <!ENTITY lol "lol">
 <!ELEMENT lolz (#PCDATA)>
 <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
 <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
 <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
 <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
 <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
 <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
 <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
 <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
 <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">

The Billion Laughs Denial-of–Service (DoS) attack consists of defining 10 entities, each defined as consisting of 10 of the previous entity, with the document consisting of a single instance of the largest entity, which expands to one billion copies of the first entity.

Our HTML5 test website is vulnerable to this type of attack. When you scan this website with Acunetix Web Vulnerability Scanner version 9 and AcuMonitor enabled the scanner will detect and report such vulnerability.


XML External Entity Injection vulnerability - Acunetix

Click to enlarge


The test is made by defining an external entity that references the AcuMonitor domain and by testing if such request was made. Using AcuMonitor, it can detect all XXE variants including the ones that are not echoed back into the response.


Share this post

Leave a Reply

Your email address will not be published.