XXE injection attack: what it is and how to prevent it

(To Francesco Rugolo)
29/04/24

Talking about XXE injection we are referring to a very widespread web vulnerability that allows a hacker to take possession of data on our servers or to proceed with a so-called "escalation" of the attack which could compromise the attacked server and other infrastructures connected to it.

First of all, let's see what XXEi means XML external entity injection. To explain how it works, however, we must know what XML is, an acronym for eXtensible Markup Language.

In short, in computer science, XML is a language used to define elements and their meaning within a text. XML is extensible, that is, it allows you to define custom tags, tags that organize and define what is found in our document.

Within the XML document an object can be represented through an “entity” instead of using the object itself.

In the DTD (document type definition) file there are all the specifications that define the types of data that our XML document can contain, the values ​​that can be assigned to it and more.

XML allows the creation of entities or the possibility of importing external ones, and here we are at the definition of external entities.

Le external entities they are entities not defined by our DTD but completely external to it and are specified through a URL from which they are loaded into the application.

Now it is not difficult to understand the risks that this procedure could pose to our systems.

The most common attacks that exploit this vulnerability aim to steal data and passwords from our databases but the most serious scenario occurs when this vulnerability is used to carry out a Server-Side Request Forgery or SSRF attack.

SSRF is an attack in which an application belonging to the server can be used by the hacker to initiate requests to any web address and lead to a compromise initially of the attacked server and subsequently of any infrastructure connected to it and potentially vulnerable.

The XXEi primarily targets applications that perform the parse (i.e. a component analysis) of XML that have a weak configuration, applications that accept XML from untrusted sources and applications that do not disable the use of external entities.

To ward off most attacks there are a whole series of best practices among which we can mention:

- the procedure whitelisting at server level, which aims to block any input that does not comply with our security standards;

- perform a validation of the XML data;

- block the obvious but often unused option of XML parsers to accept external entities.

With these simple measures it is possible to prevent a large percentage of XXE type attacks.

To find any vulnerabilities of this type we can in any case use a very useful and powerful tool, called Burp Suite, a software capable of mapping the vulnerabilities of a web application and analyzing its characteristics.

In any case, it is always useful to remember that the majority of attacks are due to the presence of vulnerabilities in the software, attributable to errors by programmers who are not always adequately prepared for secure development, which is why we hear more and more often about training for DevOps and DevSecOps, concepts closely linked to software development and security.

Sitography:

https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing

https://portswigger.net/burp/documentation

https://www.redhat.com/it/topics/devops

https://www.pluribus-one.it/it/servizi/formazione/offerta-formativa-2

https://owasp.org/www-project-devsecops-guideline

https://abu-talha.medium.com/xml-external-entity-xxe-attacks-understandi... (site from which the image was taken)