{"id":47611,"date":"2022-09-26T15:05:42","date_gmt":"2022-09-26T13:05:42","guid":{"rendered":"https:\/\/cyberant.com\/entity-injection\/"},"modified":"2023-11-09T14:03:13","modified_gmt":"2023-11-09T13:03:13","slug":"entity-injection","status":"publish","type":"post","link":"https:\/\/cyberant.com\/en\/entity-injection\/","title":{"rendered":"Entity injection"},"content":{"rendered":"\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-l8is6f14-4438b74ef808bc8f14b1b9d317e6ac75\">\n#top .av_textblock_section.av-l8is6f14-4438b74ef808bc8f14b1b9d317e6ac75 .avia_textblock{\nfont-size:40px;\n}\n<\/style>\n<section  class='av_textblock_section av-l8is6f14-4438b74ef808bc8f14b1b9d317e6ac75 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><h1 class=\"h2 entry-title\">XXE: Entity injection attacks<\/h1>\n<\/div><\/section>\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-x1vsgm-ab5f569afcaef636e9ac947f3d2e4cd5\">\n#top .hr.hr-invisible.av-x1vsgm-ab5f569afcaef636e9ac947f3d2e4cd5{\nheight:30px;\n}\n<\/style>\n<div  class='hr av-x1vsgm-ab5f569afcaef636e9ac947f3d2e4cd5 hr-invisible  avia-builder-el-1  el_after_av_textblock  el_before_av_textblock '><span class='hr-inner '><span class=\"hr-inner-style\"><\/span><\/span><\/div>\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-l8is6u2e-16d92dcbc8784b56a6cca4b64c148d42\">\n#top .av_textblock_section.av-l8is6u2e-16d92dcbc8784b56a6cca4b64c148d42 .avia_textblock{\nfont-size:16px;\n}\n<\/style>\n<section  class='av_textblock_section av-l8is6u2e-16d92dcbc8784b56a6cca4b64c148d42 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>With entity injection attacks, applications can be attacked and cause data breaches. This happens when the XML parser is configured incorrectly. The most dangerous variant is XXE, which stands for XML eXternal Entity injection. This may involve retrieving external resources, such as arbitrary files from the server or from other locations within the network.<\/p>\n<h3>What is XML<\/h3>\n<p><a href=\"https:\/\/www.w3schools.com\/xml\/\" target=\"_blank\" rel=\"noopener\">XML<\/a> (eXtendable Markup Language) is a language used to store data in a structured way. The format of this is pre-arranged, and is therefore understandable to both man and machine. XML is used in various ways, such as telling a browser how this page is constructed. An example XML file looks as follows:<\/p>\n<p><code><\/p>\n<p>John Doe<br \/>\n1<br \/>\nGroningen University<\/p>\n<p><\/code><\/p>\n<p>The school system may provide an option to upload new students using an XML file. Its users can save the above example as a <i>students.xml<\/i> file. After uploading, the school system can read the XML file and query it as a database. This makes XML very suitable for exchanging structured data.<\/p>\n<h3>What are entities<\/h3>\n<p>The XML format also supports variables. Within XML, such a variable is called an &#8220;entity.&#8221; Suppose all students are from the same school and to avoid typing &#8220;Cyber University&#8221; 1,000 times, the following can be done:<\/p>\n<p><code><\/p>\n<p>John Doe<br \/>\n1<br \/>\n&amp;school;<\/p>\n<p><\/code>At the top, the entity &#8220;school&#8221; is now created, and it is used in the document.<\/p>\n<h3>External entities<\/h3>\n<p>It can be even more convenient: if the text &#8220;Cyber University&#8221; is delivered in a separate file, so that the XML file does not need to be modified, the name can also be loaded externally. This can be from a web address or a local other file, for example. This is called &#8220;external entities,&#8221; also known as XXE.<\/p>\n<p><code> ]&gt;<\/p>\n<p>John Doe<br \/>\n1<br \/>\n&amp;school;<\/p>\n<p><\/code>In the above example, the contents of the file &#8220;school.txt&#8221; are read and used. This is obviously convenient, but can also pose a security problem. This is because if the XML file is loaded on a server, then this way files can be read that are on the server. Suppose there is a file called &#8220;passwords.config&#8221; in the same directory, this way it is possible to retrieve the passwords from the server, or for example configuration files such as the \/etc\/passwd file. This could cause a huge data breach!<\/p>\n<h3>Entity expansions<\/h3>\n<p>Another problem that can occur is &#8220;entity expansion.&#8221; With this, it is not so much possible to steal data as to make the server inaccessible. A well-known example of this is the &#8220;billion laughs attack.&#8221; This one is below:<br \/>\n<code><!--?xml version=\"1.0\" encoding=\"UTF-8\"?--><br \/>\n<!--ENTITY lol \"lol\"--><br \/>\n<!--ELEMENT lolz (#PCDATA)--><br \/>\n<!--ENTITY lol1 \"&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;\"--><br \/>\n<!--ENTITY lol2 \"&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;\"--><br \/>\n<!--ENTITY lol3 \"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;\"--><br \/>\n<!--ENTITY lol4 \"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;\"--><br \/>\n<!--ENTITY lol5 \"&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;\"--><br \/>\n<!--ENTITY lol6 \"&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;\"--><br \/>\n<!--ENTITY lol7 \"&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;\"--><br \/>\n<!--ENTITY lol8 \"&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;\"--><br \/>\n<!--ENTITY lol9 \"&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;\"--><br \/>\n]&gt;<br \/>\n&amp;lol9;<br \/>\n<\/code>What happens here is that an entity is created with the value &#8220;lol&#8221;. A new value is then created, with 10x the value of the entity. So now the result is &#8220;lollollollollollollol lollollollollol&#8221;. This process is repeated until the entity lol9 contains the word lol a billion times. Since a letter takes 1 byte in memory, the last entity takes up 3 billion bytes, which is 3GB. This is a huge drain on the server&#8217;s resources, since the result not only has to be put into memory but also compiled. Most servers will crash as a result, and should the server survive, the attack is easily scaled up by adding a few more lines.<\/p>\n<h3>Prevent<\/h3>\n<p>There is no standard way to prevent entity injection and the billion laughs attack. Most XML parsers do have a setting that can disable this capability. Therefore, please refer to the manual.<\/p>\n<p>Entity injection is common in larger software packages and custom software. During a <a href=\"https:\/\/cyberantcom.wpengine.com\/pentest\/\">pen test<\/a>, CyberAnt checks for this.<\/p>\n<div class=\"text-center\">\n<div class=\"post-thumbnail\"><picture><source srcset=\"https:\/\/cyberant.com\/wp-content\/webp-express\/webp-images\/doc-root\/wp-content\/uploads\/2021\/04\/programming_html_code_coding_website_development_website_programming_code_web_development-1295472.jpgd_-1024x683.jpeg.webp 1024w, https:\/\/cyberant.com\/wp-content\/webp-express\/webp-images\/doc-root\/wp-content\/uploads\/2021\/04\/programming_html_code_coding_website_development_website_programming_code_web_development-1295472.jpgd_-300x200.jpeg.webp 300w, https:\/\/cyberant.com\/wp-content\/webp-express\/webp-images\/doc-root\/wp-content\/uploads\/2021\/04\/programming_html_code_coding_website_development_website_programming_code_web_development-1295472.jpgd_-768x512.jpeg.webp 768w, https:\/\/cyberant.com\/wp-content\/webp-express\/webp-images\/doc-root\/wp-content\/uploads\/2021\/04\/programming_html_code_coding_website_development_website_programming_code_web_development-1295472.jpgd_-413x275.jpeg.webp 413w, https:\/\/cyberant.com\/wp-content\/webp-express\/webp-images\/doc-root\/wp-content\/uploads\/2021\/04\/programming_html_code_coding_website_development_website_programming_code_web_development-1295472.jpgd_.jpeg.webp 1200w\" type=\"image\/webp\" sizes=\"(max-width: 640px) 100vw, 640px\"><\/source><img decoding=\"async\" class=\"attachment-large size-large wp-post-image webpexpress-processed\" src=\"https:\/\/cyberant.com\/wp-content\/uploads\/2021\/04\/programming_html_code_coding_website_development_website_programming_code_web_development-1295472.jpgd_-1024x683.jpeg\" sizes=\"(max-width: 640px) 100vw, 640px\" srcset=\"https:\/\/cyberant.com\/wp-content\/uploads\/2021\/04\/programming_html_code_coding_website_development_website_programming_code_web_development-1295472.jpgd_-1024x683.jpeg 1024w, https:\/\/cyberant.com\/wp-content\/uploads\/2021\/04\/programming_html_code_coding_website_development_website_programming_code_web_development-1295472.jpgd_-300x200.jpeg 300w, https:\/\/cyberant.com\/wp-content\/uploads\/2021\/04\/programming_html_code_coding_website_development_website_programming_code_web_development-1295472.jpgd_-768x512.jpeg 768w, https:\/\/cyberant.com\/wp-content\/uploads\/2021\/04\/programming_html_code_coding_website_development_website_programming_code_web_development-1295472.jpgd_-413x275.jpeg 413w, https:\/\/cyberant.com\/wp-content\/uploads\/2021\/04\/programming_html_code_coding_website_development_website_programming_code_web_development-1295472.jpgd_.jpeg 1200w\" alt=\"\" width=\"640\" height=\"427\"><\/picture><\/div>\n<\/div>\n<\/div><\/section>\n<div  class='hr av-1217jva-314d7a44206256afc2aea15c2edcafe8 hr-default  avia-builder-el-3  el_after_av_textblock  el_before_av_social_share '><span class='hr-inner '><span class=\"hr-inner-style\"><\/span><\/span><\/div>\n<div  class='av-social-sharing-box av-st3ymu-b7dff45cdf818d2e962941f3ba4c29e3 av-social-sharing-box-default  avia-builder-el-4  el_after_av_hr  avia-builder-el-last  av-social-sharing-box-fullwidth'><div class=\"av-share-box\"><h5 class='av-share-link-description av-no-toc '>Share this article<\/h5><ul class=\"av-share-box-list noLightbox\"><li class='av-share-link av-social-link-facebook avia_social_iconfont' ><a target=\"_blank\" aria-label=\"Share on Facebook\" href='https:\/\/www.facebook.com\/sharer.php?u=https:\/\/cyberant.com\/en\/entity-injection\/&#038;t=Entity%20injection' data-av_icon='\ue8f3' data-av_iconfont='entypo-fontello'  title='' data-avia-related-tooltip='Share on Facebook'><span class='avia_hidden_link_text'>Share on Facebook<\/span><\/a><\/li><li class='av-share-link av-social-link-twitter avia_social_iconfont' ><a target=\"_blank\" aria-label=\"Share on X\" href='https:\/\/twitter.com\/share?text=Entity%20injection&#038;url=https:\/\/cyberant.com\/en\/?p=47611' data-av_icon='\ue932' data-av_iconfont='entypo-fontello'  title='' data-avia-related-tooltip='Share on X'><span class='avia_hidden_link_text'>Share on X<\/span><\/a><\/li><li class='av-share-link av-social-link-whatsapp avia_social_iconfont' ><a target=\"_blank\" aria-label=\"Share on WhatsApp\" href='https:\/\/api.whatsapp.com\/send?text=https:\/\/cyberant.com\/en\/entity-injection\/' data-av_icon='\uf232' data-av_iconfont='entypo-fontello'  title='' data-avia-related-tooltip='Share on WhatsApp'><span class='avia_hidden_link_text'>Share on WhatsApp<\/span><\/a><\/li><li class='av-share-link av-social-link-linkedin avia_social_iconfont' ><a target=\"_blank\" aria-label=\"Share on LinkedIn\" href='https:\/\/linkedin.com\/shareArticle?mini=true&#038;title=Entity%20injection&#038;url=https:\/\/cyberant.com\/en\/entity-injection\/' data-av_icon='\ue8fc' data-av_iconfont='entypo-fontello'  title='' data-avia-related-tooltip='Share on LinkedIn'><span class='avia_hidden_link_text'>Share on LinkedIn<\/span><\/a><\/li><li class='av-share-link av-social-link-mail avia_social_iconfont' ><a  aria-label=\"Share by Mail\" href='mailto:?subject=Entity%20injection&#038;body=https:\/\/cyberant.com\/en\/entity-injection\/' data-av_icon='\ue805' data-av_iconfont='entypo-fontello'  title='' data-avia-related-tooltip='Share by Mail'><span class='avia_hidden_link_text'>Share by Mail<\/span><\/a><\/li><\/ul><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":11,"featured_media":1649,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[195,216],"tags":[182,183,197,190,200,191,185,186,192,193,194,188,312],"class_list":["post-47611","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hacken","category-knowledge-base","tag-cyber-security-en","tag-cyberaanval-en","tag-cybercriminelen-en","tag-datalekken-en","tag-entity-injection-en","tag-etisch-hacker-en","tag-hacker-en","tag-it-infrastructuur-beschermen-en","tag-owasp-en","tag-penetration-test-en","tag-pentest-en","tag-vulnerability-management-en","tag-xxe-entity-injection-attack"],"_links":{"self":[{"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/posts\/47611","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/comments?post=47611"}],"version-history":[{"count":0,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/posts\/47611\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/media\/1649"}],"wp:attachment":[{"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/media?parent=47611"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/categories?post=47611"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/tags?post=47611"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}