So before we jump into protecting again XXE lets take a quick look at what XXE is. XXE or XML External Entities is when an application accepts XML input which contains malicious XML DTD (document type definition), the malicious XML is then passed to the parser which will create the new entity, if this is referenced within the XML then the attacker may be able to read local files or even execute code.
So, what exactly does a DTD look like? I’ve gone ahead and provided a very basic example of a DTD, this will create the entity and then when referenced return the value.
<?xml version="1.0"?>
<!DOCTYPE email [
<!ENTITY hello "arcan3 was here!!!">
]>
<root>
<name></name>
<tel></tel>
<email>&hello;</email>
<message></message>
</root>As we can see from the code snippet provided, a new DTD is created using the <!DOCTYPE tag, this is assigned the name email. Within this tag we can see the <!ENTITY which is called hello, in this example this is equal to the phrase “arcan3 was here!!!”.
When the entity is referenced using and ampersand and it’s name &hello; it will then get the value, assuming the application returns the output then we would see the specified phrase.
Although the example given is not all that harmful this is only a proof of concept, should the attacker be able to read system files then they could retrieve sensitive information which could lead to further compromise.
Protecting against XXE
The most straightforward way to prevent XXE would be to disable DTD within the XML parser, this would effectively stop the creation of any entities and thus remove the vulnerability all together.
Depending on what language the application is written in will depend on if and how you’re able to disable DTDs which is why we would recommend referring to the official documentation.
