What is XML External Entity (XXE)?

XML External Entity Injection is often referred to as a variant of Server-side Request Forgery (SSRF). XXE leverages language parsers that parse the widely used data format, XML used in a number of common scenarios such as SOAP & REST web services and file formats such as PDF, DOCX, HTML.

The main issue lies in XML parsers and how by default, they handle outbound network calls as well as other XML-specific features which we will get into. For a broader and more in-depth explanation of XXE, I would highly recommend going over our 2-part series first.

Python XML Libraries

In the Python ecosystem (2.X & 3.X) most if not all XML parsing is handled by the standard libraries:

And in some cases, even beautifulsoup, since as we said HTML is a subset of XML, we can parse XML using it. Good news is that minidom and etree are not vulnerable to XXE by default. As a result we’ll focus on pulldom as it’s tightly knit to sax.

Examples

The following example leverages the pulldom module as well as bottle to create a very minimal web service. It has a single endpoint, POST /pulldom that receives the request body as XML, parses it and returns it back.

import bottle

from xml.dom.pulldom import START_ELEMENT, parse

@bottle.post('/pulldom')
def pulldom():
    doc = parse(bottle.request.body)
    for event, node in doc:
        doc.expandNode(node)
    return(str(doc))

if __name__ == '__main__':
    bottle.run(host='0.0.0.0', port=5050)

The scanner can detect this by leveraging our AcuMonitor service, by transmitting and receiving the following request and response during the scan:

Request

POST http://localhost:5050/lxmlnet HTTP/1.1
Content-type: text/xml
Host: localhost:5050


<!ENTITY dteyybzent SYSTEM "http://hitWP5ElLuA1m.bxss.me/">
]>
&dteyybzent;

In bold you can see the !ENTITY expansion pointing to a remote URL which in this case, routes to AcuMonitor (under bxss.me).

Response

HTTP/1.0 500 Internal Server Error
Server: WSGIServer/0.1 Python/2.7.14

...
<body>
<h1>Error: 500 Internal Server Error</h1>
<p>Sorry, the requested URL <tt>&#039;http://localhost:5050/lxmlnet&#039;</tt>
caused an error:</p>
<pre>Internal Server Error</pre>
</body>
...

HTTP Response truncated for clarity

The server tried processing the payload internally, sent the request and raised a SAXParseException:

SAXParseException: http://hituxSWuqFxmy.bxss.me/:2:0: error in processing external entity reference

Conclusion

With security, the first question when receiving an input is along the lines of, “Where is this data source coming from?”. Given that the two most popular libraries, minidom and etree are safe from XXE attacks (though vulnerable to others) you are generally good to go from the standard library.

The alternative libraries, pulldom and sax are by design, required to pull XML from remote locations, which means that you should avoid using them handling untrusted user XML in any form. Should you still opt to use the aforementioned libraries, you should wrap them with your own safe implementation that sanitizes input prior to processing it.

Vulnerabilities such as XXE and many more can be detected automatically with Acunetix, by leveraging our AcuMonitor service to detect Out-of-Band vulnerabilities.

SHARE THIS POST
THE AUTHOR
Juxhin Dyrmishi Brigjaj

Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.