XXE (XML External Entity) is a type of vulnerability that can be found in applications that parse XML input. It occurs when an attacker is able to inject malicious code into an XML document, which is then processed by the application. This can lead to a range of attacks, including information disclosure, denial of service, and even remote code execution.
The vulnerability arises because XML allows for the inclusion of external entities, which are essentially references to external files or resources. These entities can be used to simplify the structure of an XML document, but they can also be exploited by attackers to gain access to sensitive information or execute arbitrary code.
To exploit an XXE vulnerability, an attacker typically needs to craft a specially-crafted XML document that includes a reference to an external entity that they control. When the application processes the document, it will attempt to resolve the entity, which can result in the execution of the attacker’s code.
This cheat sheet provides an extensive list of XXE vulnerabilities, their descriptions, and mitigation techniques.
Table of Contents
What is XXE?
XXE (XML External Entity) is a type of vulnerability that allows an attacker to inject malicious XML data into an application. This vulnerability can be exploited to perform various types of attacks, including data theft, denial of service, and server-side request forgery.
Types of XXE Attacks
| Attack Type | Description |
|---|---|
| Classic XXE | An attacker injects malicious XML data into an application to exploit the XML parser’s ability to process external entities. |
| Blind XXE | An attacker sends a request to a vulnerable application and waits for a response that contains sensitive information. |
| Out-of-Band XXE | An attacker sends a request to a vulnerable application that triggers a DNS or HTTP request to a server controlled by the attacker. |
XXE Payloads
| Payload | Description |
|---|---|
| Local File Inclusion | An attacker can use the file:// protocol to read files on the server. |
| Remote File Inclusion | An attacker can use the http:// or https:// protocol to read files from a remote server. |
| Parameter Entity | An attacker can use a parameter entity to inject malicious XML data into an application. |
| External DTD | An attacker can use an external DTD to inject malicious XML data into an application. |
| External Entity | An attacker can use an external entity to inject malicious XML data into an application. |
| Blind XXE Payloads | An attacker can use payloads that trigger a DNS or HTTP request to a server controlled by the attacker. |
XXE Mitigation Techniques
| Technique | Description |
|---|---|
| Disable External Entities | Disable external entities in the XML parser to prevent XXE attacks. |
| Use a Whitelist | Use a whitelist of allowed XML elements and attributes to prevent XXE attacks. |
| Use a Schema | Use an XML schema to validate incoming XML data and prevent XXE attacks. |
| Use a Content Security Policy | Use a content security policy to prevent XXE attacks by blocking external resources. |
| Use a Web Application Firewall | Use a web application firewall to detect and block XXE attacks. |