What is XML External Entity Injection?
There are many ways to store and transport data for both human readable format and machine-readable format. Web services, web or mobile applications, content management systems (CMS) uses extensible markup language(XML). It is the responsibility of the developer to properly validate the XML data that is used for input.
In simple words, XML external entity injection is an attack that is generally done to compromise the logic of an XML application. This injection attack is one vulnerability listed in OWASP top 10 vulnerabilities. If you want to know more about the other vulnerabilities, you can read about it here.
What Can Be Done With XML External Entity Injection?
Attacker can use this injection attack to cause various types of attacks, which are as follows.
Viewing files stored on the application server: Attacker will be able to view files stored in the server if the xml parser is able to process external entities. Then the web server may return contents of a file on the system containing sensitive data.
The shocking fact is, attacker is not limited to system files. They can also steal source codes if they know the location and structure of the web application. Some xml parser may also allow attackers to send HTTP requests to files on the local network.
Performing Denial Of Service (DOS) attack:
Another name of this attack is known as Billion Laugh Attack. The attacker writes the XML document in such a way so that the XML parser continues to expand each entity within itself. This process keeps on going until it overloads the server and finally brings down it.
Performing Server-side Request Forgery attack:
In some situations, web applications need to fetch data from external resources or some resources that can be internal services. For example, if developer wants to get weather data he or she may use a third party web api such as "open weather map api".
For example, to get current weather of London with this web api, the developer can use following URL: https://samples.openweathermap.org/data/2.5/weather?q=London,uk&appid=b6907d289e10d714a6e88b30761fae22
If somehow the attacker is able to change the url parameter to localhost, then he or she will be able to view the resources that are hosted locally on the server. This would cause the web application vulnerable to server-side request forgery (SSRF).
What are different Types Of XML Injection Attacks?
There are two different types of XXE attacks, namely: in-band XXE and out-of-band XXE.
In-band XXE: After performing this type of XXE attack, attacker is able to get an immediate response to the XXE payload.
Out-of-band XXE: This type of XXE attack does not return any immediate response from the web application on which this attack is performed.
Where XML Injections are Possible In a XML Document?
- In the CDATA section.
- In the attributes of the nodes.
- In the node values.
How To Prevent Against XML Injection Attacks
You should disable your application's xml parsing capabilities that your application don't intend to use. You should consult the documentation of your xml parsing library for details on how to disable those features. For a quick reference, you can consult this cheat sheet maintained by OWASP.
If you find this article about XML external entity injection as helpful, please share it among others. Thank you!