What to do with XXE Vulnerability ?!!

Enumeration, Data Exfiltration, and SSRF Attacks

I decided to share the testing methodology I developed while taking the class and solving the challenges.

Today, I will explore XML External Entity vulnerability aka XXE and how we can leverage it in performing data exfiltration and SSRF attacks.

Before we dive into it, let’s cover the fundamentals.

XML is a markup language designed for storing and transporting data. We commonly used in configuration files and web services. It uses tags similar to HTML.

XXE vulnerability is an attack against a vulnerable application that parses XML language with no security checks or validation. The attack uses XML external entities to retrieve contents from internal or external resources.

I chose a vulnerable SVG Converter application on AttackDefense Lab to demonstrate the XXE vulnerability and its Impact.

When testing a web application, I try to collect as much information about the application either manually looking through the application’s source page, comments, hidden endpoints, or intercepting the requests with a proxy to investigate the server’s responses further.

At first sight, the application expects the user to upload an SVG image file and convert it to either PNG or PDF formats. SVG stands for scalable vector graphics, and it is a file format that allows you to display vector images on a web environment.

I fuzzed each parameter to determine which value accepts XML data and send it to the server for parsing.

Then mapped the information I gathered with additional research on XML attacks. I found the possible vector would be XXE through Injecting the XML payload into SVG tagged file that executes once the server parses the SVG.

Below are multiple payloads to use for retrieving different types of information:

As you see, with the above payloads, we are able to get back the sensitive contents from the server:

SSH private key ✔️

Of course, with SSH, we have our foot on the server and fully compromise it.

That would be it for today. Thanks a lot for reading !!!

Related posts:

That evidence is a pattern often present at the end of bear runs in other markets (e.g. the S&P 500). It’s a ‘W’ shape. The first ‘V’ in the ‘W’ is a “selling climax” or “capitulation phase”, and the…

One of the things we usually do is make copies of files, folders to make sure we don’t lose anything. In the end, we are left with a lot of duplicate files and don’t know what to keep. In this…

To make long story short, what excavating company near me social bookmarking services does is it makes search engine optimization easier. It works both ways round. That is, if you want to promote…