Exploiting XXE to retrieve files

Hello, welcome to my new article, this article will talk about a vulnerability called XXE - XML external entity injection.
First, let me introduce my self, I am Idan and I am a penetration tester / red teamer.
Also, I am Practitioner Community Manager at CySource Cyber Security Company.

Before we exploit the XXE vulnerability, I’d like to explain first what is that vulnerability and what attackers can do.

XML external entity (XXE)

XXE is a web security vulnerability that allows an attacker to interfere with an application’s processing of XML data.
It often allows an attacker to view files on the application server filesystem and interact with internal & external systems that the application itself can access.
Important to understand that This vulnerability occurs when the XML parser is not configured correctly!

The main goal of XXE is to steal source code from the system.
In addition, we can steal password files, back-end source code which is valuable to companies.

In order for the system to be vulnerable to XXE, the programmer has to manually add the option to support DTD in the parser, once by default the support was available!

Actions an attacker can perform with XXE

Billion Laughs - Uploading a script file that calls the next and the following lines, all of which weighs only one KB, but the system needs to analyze it in 3 gigabytes of working memory which causes to denial of service (DDOS).
The same attack can also be used in drafting other scripts, the main thing being that they will make the analysis system work non-stop and overload it.

XXE - Adding an external xml entity, under the System entity and basically trying to transfer a form that will try to bring us information from the server.

XXE Payloads - valuable source to find payloads for XXE: https://github.com/payloadbox/xxe-injection-payload-list

Exploiting XXE vulnerability

The lab that I am going to use is on PortSwigger platform at the following link: https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-retrieve-files

Open Burp Suite and enable proxy and then you’re good to go.
The lab looks like a shopping website which customers can buy some gifts.

Before we attack any website, it’s important to try and understand all the functionalities of the website.
As a customer, I can click on an item and then I can check stock in three cities: London, Paris and Milan.

Let’s say I live in London and I want to check if there is stock.
After choosing city, I clicked “Check stock” and we’ll get a response of amount of units.

After clicking “Check stock”, I got a POST request in Burp Suite from the server and I noticed that there is a XML form.

Now the fun begins.
We need to find a way to read /etc/passwd file.
The first time, I tried to put code that would allow me to read the contents of the /etc/passwd file in base64 - like this:

Unfortunately I got an error:

I tried another way and very simple.
I put a SYSTEM command to allow reading local system files on the server and I put the path to /etc/passwd.

Finally I got a wonderful response and I got the content of /etc/passwd file.

That’s it!

I have to admit that exploiting XXE vulnerabilities is so interesting and atisfying.

Hope you guys find this article useful.