Exploiting XML External Entity (XXE) Injection Vulnerability

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

XML Entity 101‌General Entity

In simple words, Entity in XML can be said to be a variable, so this Entity can hold a value. Entities can be declared as Internal or External. Entity has 3 important parts, namely & , entity-nameand ;. So to call an entity that has been declared must combine these 3 parts.‌

Internal Entity

To create an Internal Entity use the following syntax

<!ENTITY entity-name "entity value">‌

Example

<?xml version="1.0" standalone="yes" ?><!DOCTYPE user [<!ENTITY name "si tampan">]><user>&name;</user>

This is the same as the PHP code below :

$name = "si tampan";
e‌cho $name;External Entity

Creating an external entity is the same as when creating an internal entity, but adding the SYSTEM keyword after the entity name and its value is must be absolute/relative URI/URL.

<!ENTITY enitity-name SYSTEM "URI/URL">‌

Example

<?xml version="1.0" standalone="yes" ?><!DOCTYPE text [<!ENTITY word SYSTEM "file://text.txt">]><text>&word;</text>‌

The XML above is the same as the following PHP code :

$word = file_get_contents("file://text.txt");
echo $word;‌Parameter Entity

Parameter Entity is similar to General Entity, except that parameter entity can only be used in DTD structures between <!DOCTYPE docname [ and ]> and must add a

Read the article