13 - Intro to XXE

- `XML External Entity (XXE) Injection` vulns occur when XML data is taken from a user-controlled input without proper sanitization or parsing # XML - `Extensible Markup Language (XML)` is a common markup language (similar to HTML and SGML) designed for flexible transfer and storage of data and documents in various types of applications - XML is not focused on displaying data but mostly on storing documents' data and representing data structures - Basic example of an XML document for an email ```xml <?xml version="1.0" encoding="UTF-8"?> <email> <date>01-01-2022</date> <time>10:00 am UTC</time> <sender>[email protected]</sender> <recipients> <to>[email protected]</to> <cc> <to>[email protected]</to> <to>[email protected]</to> </cc> </recipients> <body> Hello, Kindly share with me the invoice for the payment made on January 1, 2022. Regards, John </body> </email> ``` - Key elements of an XML document |Key|Definition|Example| |---|---|---| |`Tag`|The keys of an XML document, usually wrapped with (`<`/`>`) characters.|`<date>`| |`Entity`|XML variables, usually wrapped with (`&`/`;`) characters.|`<`| |`Element`|The root element or any of its child elements, and its value is stored in between a start-tag and an end-tag.|`<date>01-01-2022</date>`| |`Attribute`|Optional specifications for any element that are stored in the tags, which may be used by the XML parser.|`version="1.0"`/`encoding="UTF-8"`| |`Declaration`|Usually the first line of an XML document, and defines the XML version and encoding to use when parsing it.|`<?xml version="1.0" encoding="UTF-8"?>`| # XML DTD - `XML Document Type Definition (DTD)` allows the validation of an XML document against a pre-defined document structure - The pre-defined document structure can be defined in the document itself or in an external file - Below is an example DTD for the XML document above associated with an email ```xml <!DOCTYPE email [ <!ELEMENT email (date, time, sender, recipients, body)> <!ELEMENT recipients (to, cc?)> <!ELEMENT cc (to*)> <!ELEMENT date (#PCDATA)> <!ELEMENT time (#PCDATA)> <!ELEMENT sender (#PCDATA)> <!ELEMENT to (#PCDATA)> <!ELEMENT body (#PCDATA)> ]> ``` # XML Entities - We may also define custom entities (i.e. XML variables) in XML DTDs, to allow refactoring of variables and reduce repetitive data - This can be done with the use of the `ENTITY` keyword, which is followed by the entity name and its value, as follows ```xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE email [ <!ENTITY company "Inlane Freight"> ]> ``` - Once we define an entity, it can be referenced in an XML document between an ampersand `&` and a semi-colon `;` such as `&company;` - When the XML file is parsed on the server-side, in cases like SOAP (XML) APIs or web forms, then an entity can reference a file stored on the back-end server, which may eventually be disclosed to us when we reference the entity