XML EXTERNAL ENTITY

<aside> 🗣 Web vulnerability which allows an attacker to interfere with processing of XML Data.

</aside>

<aside> 🗣 XML input containing a reference to an external entity is processed by a weakly configured XML parser

</aside>

Impact:

  1. Disclosure of confidential data
  2. Denial of service [Billion laugh attack]
  3. Server side request forgery
  4. Port scanning
  5. Remote Code Execution

https://1.bp.blogspot.com/-rZ9oYjIhR54/WqgF3lrIo0I/AAAAAAAAVVA/aXtXTHHq0vckSUMWhrmaCwUl14ELzRGvQCPcBGAYYCw/s571/3438886bdcb5ad1c97e7dad5958cde72.gif

When application uses XML format to transmit data, Applications uses standard libraries and API to process the XML data. XXE Injection arises when these XML data have dangerous features and a not well configured XML parser process them.

https://twitter.com/PwnFunction/status/1350717643515330565?s=20

What is XML?

XML or Extensible markup language is used to transfer and store data

maxresdefault.jpg

Tree-like structure of tags and data. No predefined tags

Everything from web services (XML-RPC, SOAP, REST, etc.) to documents (XML, DOCX) and image files (SVG, EXIF data, etc.) use XML

https://www.youtube.com/watch?v=1JblVElt5K0&list=PLhW3qG5bs-L9DloLUPwC3GdFimY5Ce_gS

XML entities