Wednesday, December 13, 2017

XXE Attack – A4 of OWASP Top 10

XML External Entities (XXE) issue is added to newly listed OWASP Top 10 vulnerabilities list. In current world, number of applications is using XML streams or Web Services (SOAP) for back-end processing. Hence, browser or client can make this simple XML call over HTTP POST and fetch XML response from the server as shown in the figure -

Once XML stream hits to the application server, it needs to process through XML parser. This opens up an opportunity for attacker to inject malicious payload. XML processing or parser may be weakly designed (DTD or XSD parsing) or not properly configured; it allows external entity attributes to get processed. This can lead to access to file system, network drives, network resources or other OS level access.

As shown in the above diagram, one can craft following XML document where XXE is defined to read “/etc/passwd”.

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE test [
<!ELEMENT test ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>

Hence, if an attacker can successfully execute the above payload then application end up serving /etc/passwd as HTTP response (XML stream). It is also possible to inject internal URL or causing DoS (/dev/random file call). In certain cases, parser breaks with error while sending data back into XML stream. One can overcome that by (i) an attacker can call content by using “CDATA” wrapper in case getting error from the parser while displaying content. (ii) by sending data to external system (out-of-band) injection.


Though XXE is not very common issue but the nature of vulnerability is very serious and can have devastating impact on the target application/infrastructure. By leveraging this issue, an attacker can launch SSRF, steal file/source-code/confidential-information from the system or DoS the system. Hence, it is imperative to provide mitigation by proper patching, verifying XML streams and validations.