XXE injection

XXE Injection (XML External Entity Injection)

XXE injection is a vulnerability that allows an attacker to include external entities in an XML document. This can be exploited to retrieve sensitive information from the web server or execute malicious actions.

Key Features of XXE Injection:

• Exploits the XML DOCTYPE and ENTITY properties.

• Allows unauthorized access to files, system processes, or network resources on the web server.

Example: External Entity Injection

The following example demonstrates how an attacker could retrieve sensitive files, such as /etc/passwd (Linux user credentials):

<!DOCTYPE test [
    <!ENTITY x SYSTEM "file:///etc/passwd">
]>
<test>
    &x;
</test>

When processed by a vulnerable XML parser, the file's content is retrieved and potentially exposed to the attacker.

---

Mitigating XXE Vulnerabilities:

1. Disable External Entity Loading: Configure the XML parser to disable external entities.

   • For example, in Python:

     import xml.etree.ElementTree as ET
     parser = ET.XMLParser(resolve_entities=False)

2. Proper Input Validation:

   • Validate and sanitize user-supplied XML inputs.

   • Reject or filter out suspicious payloads.

---

XPath Injection

XPath Injection is a vulnerability that allows attackers to manipulate XML-based queries by injecting malicious XPath expressions. This can expose sensitive information or bypass authentication systems.

Example: XPath Injection

An attacker can inject malicious queries like this to bypass authentication:

domain?uname=hacker'%20or%201=1]/parent::*/child::node()%00

Here:

• hacker'%20or%201=1 exploits the XPath syntax to always evaluate as true.

• The %00 null byte is used to terminate strings or bypass input restrictions.

References

• HackTricks: XXE Injection

• HackTricks: XPath Injection

• HackTricks: XSLT Server-Side Injection