adam's notes

Extensible Markup Language (XML) Injection

Extensible markup language (XML) is a system for structuring documents so that they are human and machine readable.

  • Information within the document is placed within tags
    • describe how information within the document is structured
  • used for:
    • by apps for authentication and authorizations
    • for other types of data exchange and uploading
  • Data submitted via XML with no encryption or input validation is vulnerable to:
    • spoofing
    • request forgery
    • and injection of arbitrary data or code

XML Eternal Entity (XXE) Attack

XML External Entity (XXE) attack embeds a request for a local resource:

Example

<?xml version="1.0" encoding="UTF-8"?>
 
<!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY bar SYSTEM "file:///etc/config"> ]>
 
<bar>&bar;</bar>
  • defines an entity named bar that refers to a local file path
  • successful attack will return the contents of /etx/config as part of response

Graph View

Backlinks