XXE vulnerabilities are in the category of injection attacks, which are similar to command injection (e.g. If this basic XML document shown below is either sent in a request or uploaded to a web application that has been configured to accept and is capable of parsing XML input, the output after it was parsed would display the sub-child elements.įigure 1: Response from XML Request Impact and Risk The “book” contains sub-child elements “author”, “title”, and “publish_date”. The root element of this document is “bookstore”, which contains child elements called “book”. In order for XML data to be interpreted, the applications need some form of XML parser or XML processor that is capable of understanding its format to either transfer the data to another format or simply output the result.Ī typical simple example of an XML document, which in this case describes books, that a web application can accept as XML input, parses, and outputs the result is shown below. This allows two systems running different technologies to communicate and exchange data. This has made XML an extremely popular data format that is implemented in many types of web applications, services, and documents. What is XML?Įxtensible Markup Language (XML) was originally created for use among desktop publishing services but has now become a popular way for various types of applications to exchange data among each other and is typically used in many situations more than HTML for data interchange.
Through the use of uploading of XML documents or by manipulating vulnerable code and 3rd party dependencies, attackers have found ways that may expose this vulnerability by taking advantage of external entities for attacks such as: remote code execution, disclosure of sensitive information, access to SMB file shares, Server-Side Request Forgery (SSRF), data extraction, internal system/port scans, and denial-of-service. Even though this attack has been possible for years, major web applications such as Facebook’s third-party career service and PayPal’s Ektron CMS have caused this vulnerability to gain much needed attention.Īttackers have utilized XXE to exploit poorly configured XML processors, which in many cases are set by default, to allow the specification of an external entity reference within XML documents. The addition of XXE (XML Eternal Entity Injection) attacks being added as a new category to the OWASP top 10 in 2017 has been the result of an increased attack presence of this type of vulnerability found in many environments.