XML External Entity (XXE)

Overview

XML External Entity (XXE) attacks occur when untrusted XML Input containing a reference to an external entity is processed by an XML parser that is improperly configured. This can lead to the disclosure of internal resources, denial of service, RCE, SSRF, and port scanning.

Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.

-OWASP

Example

Consider this example from Appsecco's DVNA. The functionality of the page http://127.0.0.1:9090/app/bulkproducts allows for XML files to be uploaded and due to code misconfiguration allows XXE.

The code that handles this XML upload functionality is found in core/appHandler.js. The code uses the libxmljs library to parse the XML String. Line 3 uses the libxmljs.parseXmlString function to parse the user input. This is where the error is occurring, where the library parses the XML input string and saves it to the products variable.

module.exports.bulkProducts =  function(req, res) {
	if (req.files.products && req.files.products.mimetype=='text/xml'){
		var products = libxmljs.parseXmlString(req.files.products.data.toString('utf8'), {noent:true,noblanks:true})
		products.root().childNodes().forEach( product => {
			var newProduct = new db.Product()
			newProduct.name = product.childNodes()[0].text()
			newProduct.code = product.childNodes()[1].text()
			newProduct.tags = product.childNodes()[2].text()
			newProduct.description = product.childNodes()[3].text()
			newProduct.save()
		})
		res.redirect('/app/products')
	}else{
		res.render('app/bulkproducts',{messages:{danger:'Invalid file'},legacy:false})
	}
}

The XML parsing library libxmljs allows for parsing external entities. The flag value noent needs to be set to false {noent:true,noblanks:true}.

The following code shows the fix for this vulnerability by changing that flag value to false.

module.exports.bulkProducts =  function(req, res) {
	if (req.files.products && req.files.products.mimetype=='text/xml'){
		var products = libxmljs.parseXmlString(req.files.products.data.toString('utf8'), {noent:false,noblanks:true})
		products.root().childNodes().forEach( product => {
			var newProduct = new db.Product()
			newProduct.name = product.childNodes()[0].text()
			newProduct.code = product.childNodes()[1].text()
			newProduct.tags = product.childNodes()[2].text()
			newProduct.description = product.childNodes()[3].text()
			newProduct.save()
		})
		res.redirect('/app/products')
	}else{
		res.render('app/bulkproducts',{messages:{danger:'Invalid file'},legacy:false})
	}
}

Start with the following resources then go to the resources page.

What is XXE (XML external entity) injection? Tutorial & Examples | Web Security AcademyWebSecAcademy

XML External Entity (XXE) Processing | OWASP Foundationowasp.org

XXE - XEE - XML External Entity - HackTricksbook.hacktricks.xyz

OWASP Top Ten 2017 | A4:2017-XML External Entities (XXE) | OWASP Foundationowasp.org

https://appsecco.com/books/dvna-developers-security-guide/solution/a4-xxe.htmlappsecco.com

Appsecco DVNA source code example