Uploaded bymattymcfatty
PPTX, PDF1,614 views

Xml external entities [xxe]

The document discusses XML External Entities (XXE) vulnerabilities, explaining how they allow attackers to exploit XML through various means like denial of service and data exfiltration. It emphasizes the widespread use of XML and the importance of both defenders and attackers being aware of these vulnerabilities. Recommendations for mitigating XXE attacks include ensuring parser libraries are updated and disabling XXE by default.

Embed presentation

Downloaded 51 times
XML External Entities [XXE] Slipping in through the XML backdoor
XML is boring, but
What is it? • XML 1.0 specification allows for “Entity Declaration” • This allows XML documents to be more dynamic • Here are a couple examples
Who is affected? • Lots of apps use XML • Lots of formats rely on XML • Lots of configuration files for apps use XML • Lots of protocols rely on XML • Some use it without even knowing it
Who cares? • Attacker and defenders should care because… this is also a valid XXE Declaration:
Who cares? • Attacker and defenders should care because… this is also a valid XXE Declaration: • …aaaaaand so is this!
What can you exploit? • Denial of service • File enumeration • Network enumeration • Port scanning • Directory listing • File exfiltration …sometimes WITHOUT AUTH
Lets see it…
How do you stop it? • Coders that know about XXE don’t reflect XML back • But that didn’t work well • Because error messages • Because response timing differences • Because Timur Yunusov & Alexey Osipov Out-of-Band XXE attack
How do you stop it? Take two • A lot of parser libraries added the option to disable XXE • But that didn’t work well • Because many coders don’t realize this is an attack vector
How do you stop it? Take three • A lot of parser libraries disable XXE by default • Actually works pretty well • …provided your libraries are up to date. • …no dumb ass developers enabled ittt
Summary • XML is all over the place • XXE is really bad • If defending, make sure you are not vulnerable • If attacking, make sure you test for XXE, cause it’s really SWEET if you find it
Shout-outs • Lots of smart people have researched and talked about this • Timur Yunusov & Alexey Osipov OOB XXE talk at Blackhat 2013 • Timothy D. Morgan - What You Didn't Know About XML External Entities Attacks • Alex Lauerman @ TrustFoundry

More Related Content

PPTX
OWASP A4 XML External Entities (XXE)
byMichael Furman
 
PPTX
XML External Entity (XXE)
byJay Thakker
 
PDF
When the internet bleeded : RootConf 2014
byAnant Shrivastava
 
PDF
RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities
byIMMUNIO
 
PPTX
Website Hacking and Preventive Measures
byShubham Takode
 
PDF
CNIT 128 9. Writing Secure Android Applications
bySam Bowne
 
PPTX
WordPress Security Hardening
byIda Bagus Budanthara
 
PPTX
[OWASP Poland Day] Application security - daily questions & answers
byOWASP
 
OWASP A4 XML External Entities (XXE)
byMichael Furman
 
XML External Entity (XXE)
byJay Thakker
 
When the internet bleeded : RootConf 2014
byAnant Shrivastava
 
RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities
byIMMUNIO
 
Website Hacking and Preventive Measures
byShubham Takode
 
CNIT 128 9. Writing Secure Android Applications
bySam Bowne
 
WordPress Security Hardening
byIda Bagus Budanthara
 
[OWASP Poland Day] Application security - daily questions & answers
byOWASP
 

What's hot

PDF
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
byAnant Shrivastava
 
PDF
Tale of Forgotten Disclosure and Lesson learned
byAnant Shrivastava
 
PDF
SQL Injection and DoS
byEmil Tan
 
PPTX
Practice of AppSec .NET
byMikhail Shcherbakov
 
PPT
Watir
bySai Venkat
 
PDF
My tryst with sourcecode review
byAnant Shrivastava
 
PPTX
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
byQuek Lilian
 
PPTX
Dll preloading-attack
byCysinfo Cyber Security Community
 
PDF
Secuirty News Bytes-Bangalore may 2014
byn|u - The Open Security Community
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
byAnant Shrivastava
 
Tale of Forgotten Disclosure and Lesson learned
byAnant Shrivastava
 
SQL Injection and DoS
byEmil Tan
 
Practice of AppSec .NET
byMikhail Shcherbakov
 
Watir
bySai Venkat
 
My tryst with sourcecode review
byAnant Shrivastava
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
byQuek Lilian
 
Dll preloading-attack
byCysinfo Cyber Security Community
 
Secuirty News Bytes-Bangalore may 2014
byn|u - The Open Security Community
 

Similar to Xml external entities [xxe]

PDF
A Hacker's perspective on AEM applications security
byMikhail Egorov
 
PDF
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
byLionel Briand
 
PPTX
Black Hat: XML Out-Of-Band Data Retrieval
byqqlan
 
PPTX
XXE - XML External Entity Attack
byCysinfo Cyber Security Community
 
PDF
XXE
byn|u - The Open Security Community
 
PPTX
eXploitable Markup Language
bysghctoma
 
PDF
[Blackhat2015] FileCry attack against Java
byMoabi.com
 
ODP
Hands-On XML Attacks
byToe Khaing
 
PPTX
Xxe
byIlan Mindel
 
PPTX
Extreme Web Exploitation
byViral Parmar
 
DOCX
App. Specific Business 10ImpactsThreatAgentsA.docx
byarmitageclaire49
 
PPTX
XML External Entity Null Meet 19_3_16.pptx
bySamitAnwer2
 
DOCX
Vulnerability in libxml2
byRuban Deventhiran
 
PDF
CONFidence 2015: Nietypowe problemy bezpieczeństwa w aplikacjach webowych - M...
byPROIDEA
 
PDF
A4 xml external entites
byLenur Dzhemiliev
 
DOCX
External XML Entities
byWilliam McKelphin
 
PPT
Attacks against Microsoft network web clients
byPositive Hack Days
 
PPTX
Devouring Security XML Attack surface and Defences
bygmaran23
 
PPTX
Xxe
bynullowaspmumbai
 
PPTX
Xxe xml external entity
byheeraj nair
 
A Hacker's perspective on AEM applications security
byMikhail Egorov
 
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
byLionel Briand
 
Black Hat: XML Out-Of-Band Data Retrieval
byqqlan
 
XXE - XML External Entity Attack
byCysinfo Cyber Security Community
 
XXE
byn|u - The Open Security Community
 
eXploitable Markup Language
bysghctoma
 
[Blackhat2015] FileCry attack against Java
byMoabi.com
 
Hands-On XML Attacks
byToe Khaing
 
Xxe
byIlan Mindel
 
Extreme Web Exploitation
byViral Parmar
 
App. Specific Business 10ImpactsThreatAgentsA.docx
byarmitageclaire49
 
XML External Entity Null Meet 19_3_16.pptx
bySamitAnwer2
 
Vulnerability in libxml2
byRuban Deventhiran
 
CONFidence 2015: Nietypowe problemy bezpieczeństwa w aplikacjach webowych - M...
byPROIDEA
 
A4 xml external entites
byLenur Dzhemiliev
 
External XML Entities
byWilliam McKelphin
 
Attacks against Microsoft network web clients
byPositive Hack Days
 
Devouring Security XML Attack surface and Defences
bygmaran23
 
Xxe
bynullowaspmumbai
 
Xxe xml external entity
byheeraj nair
 

Recently uploaded

PDF
action man.pdf album sa slicicama panini...
byStefanFilipovic9
 
DOCX
Get Verified Payeer Accounts_ Complete Payeer Account Verification Guide (202...
byBEST IT SMM
 
PDF
Parallel and Distributed Databases NOTES.pdf
bywrushabsirsat
 
PDF
2025 Archive - Zsolt Nemeth web blogging
byZsolt Nemeth
 
PDF
anastasia panini album.pdf album sa slicicama
byStefanFilipovic9
 
PDF
alfred jonatan kvak panini album.pdf slicice
byStefanFilipovic9
 
PDF
album panini Evoksi.pdf panini album slicice
byStefanFilipovic9
 
PDF
5 Best FREE Anti-Detect Browsers in 2026
byRakeshChauhan821593
 
PDF
Modernize everything Microsoft session.pdf
byjeyfox1
 
PDF
Dublin Core Metadata : Library’s Digital DNA
byDeepanshu Kumar Yadav
 
PDF
The Role of Micro-interactions in Modern Web Design
bydigitalcrafters0810
 
PDF
Top 7 Instagram Monitoring Apps of 2025 – Feature Overview
byMichael Carter
 
PPTX
Victoria University Transcripts
byvgki5qphpa
 
PDF
Network Security Services for Businesses: 5 Simple Ways to Protect Your Network
byPreemptive Technofield
 
action man.pdf album sa slicicama panini...
byStefanFilipovic9
 
Get Verified Payeer Accounts_ Complete Payeer Account Verification Guide (202...
byBEST IT SMM
 
Parallel and Distributed Databases NOTES.pdf
bywrushabsirsat
 
2025 Archive - Zsolt Nemeth web blogging
byZsolt Nemeth
 
anastasia panini album.pdf album sa slicicama
byStefanFilipovic9
 
alfred jonatan kvak panini album.pdf slicice
byStefanFilipovic9
 
album panini Evoksi.pdf panini album slicice
byStefanFilipovic9
 
5 Best FREE Anti-Detect Browsers in 2026
byRakeshChauhan821593
 
Modernize everything Microsoft session.pdf
byjeyfox1
 
Dublin Core Metadata : Library’s Digital DNA
byDeepanshu Kumar Yadav
 
The Role of Micro-interactions in Modern Web Design
bydigitalcrafters0810
 
Top 7 Instagram Monitoring Apps of 2025 – Feature Overview
byMichael Carter
 
Victoria University Transcripts
byvgki5qphpa
 
Network Security Services for Businesses: 5 Simple Ways to Protect Your Network
byPreemptive Technofield
 

Xml external entities [xxe]

  • 1.
    XML External Entities [XXE] Slippingin through the XML backdoor
  • 2.
  • 3.
    What is it? •XML 1.0 specification allows for “Entity Declaration” • This allows XML documents to be more dynamic • Here are a couple examples
  • 4.
    Who is affected? •Lots of apps use XML • Lots of formats rely on XML • Lots of configuration files for apps use XML • Lots of protocols rely on XML • Some use it without even knowing it
  • 5.
    Who cares? • Attackerand defenders should care because… this is also a valid XXE Declaration:
  • 6.
    Who cares? • Attackerand defenders should care because… this is also a valid XXE Declaration: • …aaaaaand so is this!
  • 7.
    What can youexploit? • Denial of service • File enumeration • Network enumeration • Port scanning • Directory listing • File exfiltration …sometimes WITHOUT AUTH
  • 8.
  • 9.
    How do youstop it? • Coders that know about XXE don’t reflect XML back • But that didn’t work well • Because error messages • Because response timing differences • Because Timur Yunusov & Alexey Osipov Out-of-Band XXE attack
  • 10.
    How do youstop it? Take two • A lot of parser libraries added the option to disable XXE • But that didn’t work well • Because many coders don’t realize this is an attack vector
  • 11.
    How do youstop it? Take three • A lot of parser libraries disable XXE by default • Actually works pretty well • …provided your libraries are up to date. • …no dumb ass developers enabled ittt
  • 12.
    Summary • XML isall over the place • XXE is really bad • If defending, make sure you are not vulnerable • If attacking, make sure you test for XXE, cause it’s really SWEET if you find it
  • 13.
    Shout-outs • Lots ofsmart people have researched and talked about this • Timur Yunusov & Alexey Osipov OOB XXE talk at Blackhat 2013 • Timothy D. Morgan - What You Didn't Know About XML External Entities Attacks • Alex Lauerman @ TrustFoundry

Editor's Notes

  • #2 Introduce yourself. And who you work for.
  • #3 I get a nerd boner whenever I see xml in applications because of how big of an impact this has. Tell Alex’s story of exfiltrating data from very secure services that have been pentested before.
  • #4 Take your time and zoom in on these and explain them
  • #5 Lots of apps use XML without even knowing it. Talk about that one JSON ->XML, XXE attack you did
  • #6 explaining that you can reference an entity on an attacker’s machine this Take your time and zoom-in
  • #7 Explain that you can include local files on the system Take your time and zoom-in
  • #8 Explain here the app you found that used a xml webservice They did the right thing and used an AUTH token to verify access to the service But the token was an XML element, so the app had to parse XML before it could verify authorization. This means I get their webconfig file as an UNAUTHENTICATED ATTACKER
  • #9 Turnkey Linux running python manage.py runserver 192.168.48.128:999 Firefox Burp Running http://192.168.48.128:999/static/mailingList.html try this after xml tag <!DOCTYPE root [<!ELEMENT root ANY> <!ENTITY foo "XXEEEEEE!!!!" >]> Do this to pop the exploit <!DOCTYPE root [<!ELEMENT root ANY> <!ENTITY foo SYSTEM "file:///etc/passwd" >]>
  • #10 Take your time, Explain each one of these Explain the out of bounds XXE attack
  • #12 Explain here for the example, I installed Django from 2013 so apps that are 2+ years old probably don’t have xxe disabled by default but Explain that I have found it on real tests twice in the last year and Alex has found it at least 3 or 4 times
  • #14 Explain that I will be making the fuzzing list and the vulnerable Django app available on github