XML is an open standard format for exchanging information. Structure of the xml document can be specified using DTD (Document Type Definition).DTD supports entities

What is Entity?

To represent any value that will come several times in the xml structure we will use entities.

Entities are of two types

1. Internalentities: Data will be available within the xml document. Example: ]> Here in DTD we declared one entity called name that is internal entity why because if we are using this entity anywhere in the document context, value of that entity will be referred from DTD itself.

2. External entities: Data will be requested from some other location that means data is not available within the xml. Example: ]> Here we are getting the value of the name from different location and it is not available internally.

XML external entity injection:

This kind of vulnerability is possible when any application is allowing xml requests and responses and because of default settings used in xml parsers. Almost all the xml parsers are vulnerable for xxe injection. Because of this vulnerability attackers can read sensitive files like application configuration files and they can perform DOS (Denial of Service) attacks in such a way that by making the xml parser to continuously read the files from the local devices.

To perform xxe attack we can use Firefox REST Client add-on

Take any xxe vulnerable web application.
Send any request from that application to the application server
If it is a vulnerable site it will disclose some sensitive information in the response body. Like X-auth :< some sensitive file location> Otherwise we can perform this xxe attack by injecting our own xml payload. To perform this attack we can use Firefox REST Client add-on

Steps to work with REST Client:

Take any xxe vulnerable web application.

  • Open REST Client add-on
  • Change the http method to post
  • In the URL field mention the URL of the vulnerable web application.
  • In the Body field mention the xml payloadExample Payload:]
  • Click on Send and observe the response body .We can get confidential files

    The example showed is not vulnerable to xxe that’s why it is not showing any confidential information. We can use “Google chrome advanced REST Client” also to perform xxe attack.