What is XML External Entity (XXE)?
XML External Entity Injection is often referred to as a variant of Server-side Request Forgery (SSRF). XXE leverages language parsers that parse the widely used data format, XML used in a number of common scenarios such as SOAP & REST web services and file formats such as PDF, DOCX, HTML.
The main issue lies in XML parsers and how by default, they handle outbound network calls as well as other XML-specific features which we will get into. For a broader and more in-depth explanation of XXE, I would highly recommend going over our 2-part series first.
Python XML Libraries
In the Python ecosystem (2.X & 3.X) most if not all XML parsing is handled by the standard libraries:
And in some cases, even
beautifulsoup, since as we said HTML is a subset of XML, we can parse XML using it. Good news is that
etree are not vulnerable to XXE by default. As a result we’ll focus on
pulldom as it’s tightly knit to
The following example leverages the
pulldom module as well as
bottle to create a very minimal web service. It has a single endpoint, POST /pulldom that receives the request body as XML, parses it and returns it back.
import bottle from xml.dom.pulldom import START_ELEMENT, parse @bottle.post('/pulldom') def pulldom(): doc = parse(bottle.request.body) for event, node in doc: doc.expandNode(node) return(str(doc)) if __name__ == '__main__': bottle.run(host='0.0.0.0', port=5050)
The scanner can detect this by leveraging our AcuMonitor service, by transmitting and receiving the following request and response during the scan:
POST http://localhost:5050/lxmlnet HTTP/1.1 Content-type: text/xml Host: localhost:5050 <!ENTITY dteyybzent SYSTEM "http://hitWP5ElLuA1m.bxss.me/"> ]>
In bold you can see the !ENTITY expansion pointing to a remote URL which in this case, routes to AcuMonitor (under
HTTP/1.0 500 Internal Server Error Server: WSGIServer/0.1 Python/2.7.14 ... <body> <h1>Error: 500 Internal Server Error</h1> <p>Sorry, the requested URL <tt>'http://localhost:5050/lxmlnet'</tt> caused an error:</p> <pre>Internal Server Error</pre> </body> ...
HTTP Response truncated for clarity
The server tried processing the payload internally, sent the request and raised a SAXParseException:
SAXParseException: http://hituxSWuqFxmy.bxss.me/:2:0: error in processing external entity reference
With security, the first question when receiving an input is along the lines of, “Where is this data source coming from?”. Given that the two most popular libraries,
etree are safe from XXE attacks (though vulnerable to others) you are generally good to go from the standard library.
The alternative libraries,
sax are by design, required to pull XML from remote locations, which means that you should avoid using them handling untrusted user XML in any form. Should you still opt to use the aforementioned libraries, you should wrap them with your own safe implementation that sanitizes input prior to processing it.