XML Injection Vulnerabilities and How They Work

Ayush Parti
September 7, 2022

XXE vulnerabilities are a type of attack that exploits flaws in an application's processing of XML data. XXE attacks can be used to gain access to sensitive files, execute arbitrary code, or launch denial-of-service attacks. XXE attacks are often overlooked, but they can be highly dangerous.

In order to protect your applications from XXE attacks, it is important to understand how they work and what measures you can take to prevent them.

How does an XXE Vulnerability Occur?

XXE vulnerabilities occur when an application processes XML input without adequately checking for errors. This can allow attackers to inject malicious code into the XML data, which is then executed by the application. XXE attacks can be used to gain access to sensitive files, execute arbitrary code, or launch denial-of-service attacks. XXE attacks are often overlooked, but they can be highly dangerous.

One common way to exploit XXE vulnerabilities is to inject an external entity reference into the XML data. This reference will cause the application to fetch the specified file from the attacker's server, revealing its contents to the attacker.

Another way to exploit XXE vulnerabilities is to use them to perform denial-of-service attacks. This can be done by specifying a very large file in the external entity reference, causing the application to consume all of its memory and crash.

XXE vulnerabilities can be prevented by disabling external entity references in the XML parser. This will prevent the application from fetching any files from external sources, and will also prevent denial-of-service attacks.

Additionally, input validation should ensure that all XML data is well-formed and does not contain any malicious code. Doing this can prevent XXE vulnerabilities from being exploited in the first place.

What is a CSRF Token?

When you're using the internet, each request your browser makes includes a csrf token. This token is used to verify that the request is coming from a trusted source. If the csrf token is invalid, the request will be rejected.

CSRF tokens are typically generated by the server and included in the form data or header of each request. When the form is submitted, the csrf token is also submitted. The server can then validate the csrf token before processing the request.

If you're a developer, you can learn more about how to implement CSRF protection in your web applications. But even if you're not a developer, it's important to understand what csrf tokens are and how they help protect your online data.

What is an SSRF token?

An SSRF token is a type of security token that is used to protect against server-side request forgery (SSRF) attacks. An SSRF attack is a type of attack where the attacker attempts to send malicious requests to a server in order to exploit a vulnerability.

An SSRF token is used to validate that a request originated from the intended source and has not been tampered with. This helps to prevent attackers from being able to inject malicious code into the request and execute it on the server.

XML Injection Attack Types

There are a few key XML Injection attacks which may share similarities in their output but they operate quite differently. We have listed some of them below:

Billion Laughs Attack

The name might sound harmless but trust us, you will not be laughing if your database is overloaded with a billion laughs attack! A billion laughs attack is a type of denial of service attack that exploits a weakness in XML parsers. The attack works by creating a very large XML file that contains a lot of nested entity references. When the XML file is parsed, the parser expands all of the entity references, resulting in a very large amount of data being processed. This can cause the parser to run out of memory, crash, or consume all available CPU resources, causing the Denial of Service.

There are two main ways to protect against the billion laughs attack:

  1. Use a less permissive XML parser that doesn't allow expansion of entity references.
  2. Limit the size of XML files that can be parsed.

Blind XXE Attack

A blind XXE vulnerability is a type of security flaw that can allow an attacker to gain access to sensitive information. This vulnerability occurs when an XML parser processes external entities without properly verifying them first. This can lead to the disclosure of sensitive information, such as files on the server or even data from the memory of the application. Blind XXE vulnerabilities are often difficult to exploit, but can be very dangerous if successfully exploited.

One way to exploit a blind XXE vulnerability is to send a specially crafted XML file to the vulnerable application. This XML file can contain an external entity that points to a file on the server. If the application processes this file, then the attacker can gain access to the contents of that file. Additionally, blind XXE vulnerabilities can also be exploited to gain access to sensitive data in memory. By carefully crafting an XML file, an attacker can cause the application to disclose this sensitive data.

Blind XXE vulnerabilities are often difficult to exploit due to the fact that they often require an attacker to have a way to interact with the vulnerable application. However, if an attacker does have a way to interact with the application, such as through a web interface, then they can potentially exploit the vulnerability to gain access to sensitive data.

If you find a blind XXE vulnerability in an application, it is important to carefully assess the risk that it poses. In some cases, the risk may be low and the impact may be minimal. However, in other cases, the risk may be high and the impact could be severe. It is important to remember that blind XXE vulnerabilities can often be chained together with other vulnerabilities to increase their impact. For example, if an attacker can combine a blind XXE vulnerability with an SQL injection vulnerability, they may be able to gain access to sensitive database data.

XXE SSRF Attacks

XXE SSRF attacks are a type of XML External Entity (XXE) attack. They exploit the way that some XML processors handle external entity references. This can allow an attacker to access sensitive data on the server or to launch other attacks, such as denial of service attacks or cross-site scripting (XSS) attacks.

XXE SSRF attacks are usually carried out by sending a specially crafted XML request that contains a reference to an external entity. The XML processor on the server will then attempt to resolve this reference, which can allow the attacker to access sensitive data on the server or to launch other attacks.

XXE SSRF attacks can have serious consequences, such as:

  • Accessing sensitive data on the server, such as confidential information or passwords
  • Launching denial of service attacks by flooding the server with requests
  • Executing malicious code on the server, such as cross-site scripting (XSS) attack

How can I protect against XXE SSRF attacks?

There are several measures that you can take to protect against XXE SSRF attacks, such as:

  • Disabling external entity references in your XML processor
  • Validating input to ensure that it does not contain any malicious code
  • Restricting access to sensitive files and data on the server
  • Implementing a web application firewall (WAF)

By taking these measures, you can help to protect your website or application from XXE SSRF attacks.

Additional XXE Prevention Tips

If you're worried about XXE attacks, there are a few things you can do to prevent them. First, make sure your XML parser is configured to disable external entity processing. This will prevent an attacker from being able to include malicious code in an XML document that your parser will process.

You should also consider using a whitelist approach when processing XML input. This means only allowing certain characters and character ranges in the XML document, and rejecting anything else. This can help prevent an attacker from being able to inject malicious code into the document.

Finally, keep in mind that XXE attacks are often used to gain access to sensitive files on the server. If you're storing any sensitive information in XML documents, make sure they're properly protected from unauthorized access.

By following these tips, you can help prevent XXE attacks and keep your data safe.

How To Find and Test for XML Injection and XXE Attacks

XXE vulnerabilities are a serious security issue that can lead to data leakage, denial-of-service attacks, and even remote code execution. However, they can be prevented by disabling external entity references in the XML parser, and by validating all XML input.

If you are a SaaS business that does not have the bandwidth, budget or expertise to conduct penetration tests for your web applications against XXE attacks, we can help! Heyhack Scan provides comprehensive insights on your website's security so that you can operate without any security fears. Our easy-to-use platform allows you to test for all kinds of web vulnerabilities and gain regulatory compliance.

If you'd like to know more, get in touch and we'd love to help!

Start pentesting today

Sign up for a free trial for Heyhack and start your first penetration test today.
Our trial is free for 14 days and requires no commitment whatsoever.
Sign Up for a Free TrialBook a Demo

Start your first automated penetration test today

Sign up for a free trial to Heyhack and start your first penetration test within a matter of minutes. You can also book a demo session with one of our security experts that will help you get started.