XXE: What is entity injection?

Entity injection attacks can attack applications and cause data leaks. This happens when the XML parser is incorrectly configured. The most dangerous variant is XXE, which stands for XML eXternal Entity Injection. This attack can be used to retrieve external resources, such as arbitrary files from the server or from other locations within the network.

What is XML?

XML (eXtendable Markup Language) is a language used to store data in a structured way. The format of this has been agreed in advance, and is therefore understandable for man and machine. XML is used in various ways, for example to tell your browser how this page is structured. An example of an XML file looks like this:

<students>
<student>
<name>John Doe</name>
<id>1</id>
<school>Groningen University</school>
</student>
</students>

The school system can offer a possibility to upload new students via an XML file. Users of it can save the above example as an student.xml file. After uploading, the school system can read the XML file and query it as a database. This makes XML very suitable for exchanging structured data.

What are entities

The XML format also supports variables. Within XML we call such a variable an “entity”. Suppose all students come from the same school and we want to avoid typing “Cyber ​​University” 1,000 times, then we can do the following:

<!DOCTYPE replace [<!ENTITY school "Cyber university">
<students>
<student>
<name>John Doe</name>
<id>1</id>
<school>&school;</school>
</student>
</students>

The entity “school” is now created at the top and used in the document.

XXE: external entities

It can be even more convenient: if we want to deliver the text “Cyber ​​University” in a separate file, so that we no longer have to adjust the XML file, then we can also load the name externally. This can be done, for example, from a web address or a local other file. We call this “external entities”.

<!DOCTYPE replace [<!ENTITY school SYSTEM "school.txt"> ]>
<students>
<student>
<name>John Doe</name>
<id>1</id>
<school>&school;</school>
</student>
</students>

In the example above, the contents of the file “school.txt” are read and used. This is of course useful, but can also pose a security problem. If the XML file is loaded on a server, then we can read files that are on the server in this way. Suppose there is a file in the same folder called “passwords.config”, then we can retrieve the passwords from the server, or for example configuration files such as the / etc / passwd file. This could cause a massive data breach!

The billion laughs attack

Another problem that can arise is “entity expansion”. With this we can not so much steal data, but we can make the server inaccessible. A well-known example of this is the “billion laughs attack”. It is listed below:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>

What happened here is that an entity is created with the value “lol”. Then a new value is created, with 10x the value of the entity. The result is now “lollollollollollol lollollollol”. This process is repeated until the entity lol9 contains the word lol one billion times. Since a letter takes up 1 byte in memory, the last entity takes up 3 billion bytes, which is 3GB. This is a huge drain on the server’s resources, as the result must not only be put into memory, but also compiled. Most servers will crash because of this, and if the server survives, the attack can easily be scaled up by adding a few extra lines.

Prevent it from happening

There is no one standard way to prevent entity injection and the billion laughs attack. Most XML parsers have a setting that can disable this option. Therefore, consult the manual.

Entity injection is common in larger software packages and custom software. During a pentest we check this. Wondering if your application is vulnerable? Then please contact us.

More information about our solutions

Do you want to make sure that your websites, apps or systems are free from vulnerabilities? Our experts are happy to work for you. For more information about our pentests or other services, please feel free to contact us via the contact form below. We are happy to tell you what we can do for you.

    Contact

    Randstad 22 147
    1316BM Almere

    info@cyberant.com
    +31 (0)85 047 1590