XXE Cheat Sheet

In XML

XXE (XML External Entity) is a type of vulnerability that can be found in applications that parse XML input. It occurs when an attacker is able to inject malicious code into an XML document, which is then processed by the application. This can lead to a range of attacks, including information disclosure, denial of service, and even remote code execution.

The vulnerability arises because XML allows for the inclusion of external entities, which are essentially references to external files or resources. These entities can be used to simplify the structure of an XML document, but they can also be exploited by attackers to gain access to sensitive information or execute arbitrary code.

To exploit an XXE vulnerability, an attacker typically needs to craft a specially-crafted XML document that includes a reference to an external entity that they control. When the application processes the document, it will attempt to resolve the entity, which can result in the execution of the attacker’s code.

This cheat sheet provides an extensive list of XXE vulnerabilities, their descriptions, and mitigation techniques.

Table of Contents

What is XXE?

XXE (XML External Entity) is a type of vulnerability that allows an attacker to inject malicious XML data into an application. This vulnerability can be exploited to perform various types of attacks, including data theft, denial of service, and server-side request forgery.

Types of XXE Attacks

Attack TypeDescription
Classic XXEAn attacker injects malicious XML data into an application to exploit the XML parser’s ability to process external entities.
Blind XXEAn attacker sends a request to a vulnerable application and waits for a response that contains sensitive information.
Out-of-Band XXEAn attacker sends a request to a vulnerable application that triggers a DNS or HTTP request to a server controlled by the attacker.

XXE Payloads

PayloadDescription
Local File InclusionAn attacker can use the file:// protocol to read files on the server.
Remote File InclusionAn attacker can use the http:// or https:// protocol to read files from a remote server.
Parameter EntityAn attacker can use a parameter entity to inject malicious XML data into an application.
External DTDAn attacker can use an external DTD to inject malicious XML data into an application.
External EntityAn attacker can use an external entity to inject malicious XML data into an application.
Blind XXE PayloadsAn attacker can use payloads that trigger a DNS or HTTP request to a server controlled by the attacker.

XXE Mitigation Techniques

TechniqueDescription
Disable External EntitiesDisable external entities in the XML parser to prevent XXE attacks.
Use a WhitelistUse a whitelist of allowed XML elements and attributes to prevent XXE attacks.
Use a SchemaUse an XML schema to validate incoming XML data and prevent XXE attacks.
Use a Content Security PolicyUse a content security policy to prevent XXE attacks by blocking external resources.
Use a Web Application FirewallUse a web application firewall to detect and block XXE attacks.

References

# #