XML External Entity Injection (XXE) and Expansion (XEE) are security vulnerabilities that allow an attacker to exploit weaknesses within the processing of XML documents. Applications built for XML processing usually use a standard library for converting XML text into instance objects within the application. XXE and XEE vulnerabilities arise due to the XML specification having potentially dangerous features. With XXE, it allows the XML document to specify entities outside of the Document Type Definition (DTD). While XEE allows for references of entities internally inside the same document.


Impacts of XML External Entity (XXE)

An exploit of an XXE could be performed by manipulating the XML document and creating an external reference outside of the DTD to a file on the system. The application will retrieve the file and populate that as a response to a request. The exploit would exfiltration sensitive information, e.g. passwords or private keys, from the system. Another way the exploit could occur is by manipulating the XML document to query a remote server (via http(s)) and populate the HTTP request with sensitive information. An exploit of an XEE would be denial of services (DOS), bringing down the entire system. XEE attacks occur by creating an XML document that recursively references itself over and over again, the XML parser would consume system resources trying to parse the document. We can see within the examples the famous billion laughs payload exploit.

Testing for XXE in Java

Inject into the XML parser the file/payload below

XEE: Xml Entity Expansion (Billion Laughs Bomb)

<?xml version="1.0"?>
<!DOCTYPE lolz [
 <!ENTITY lol "lol">
 <!ELEMENT lolz (#PCDATA)>
 <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
 <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
 <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
 <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
 <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
 <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
 <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
 <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
 <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">

XEE: Xml Entity Expansion (Bomb Variation 1)

<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol1 "&lol2;">
<!ENTITY lol2 "&lol1;">

XEE: Xml Entity Expansion (Bomb Variation 2)

<?xml version="1.0"?>
<!DOCTYPE kaboom [
<!ENTITY a "aaaaaaaaaaaaaaaaaa...">

XXE: Expose local file (*nix)

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
   <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]>

Want to check your projects for free?

XXE Fixes for Java

Vulnerable Code
DocumentBuilder db = DocumentBuilderFactory.newInstance().newDocumentBuilder();
Document doc = db.parse(input);
Solution 1: Secure Processing Mode:
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
DocumentBuilder db = dbf.newDocumentBuilder();
Document doc = db.parse(input);
Solution 2: Disabling DTD
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder db = dbf.newDocumentBuilder();
Document doc = db.parse(input);