#Xee xml code#
Here you can see the /etc/passwd file disclosed.Īs mentioned above, much more rarely, it's also possible to cause denial of service conditions or even remote code execution. This example causes confidential data disclosure by requesting the content of a file on the web server. Here a file: URI is used so it may be possible to access server-side files, but other URIs can lead to related issues - such as https: allowing for server-side requests to be sent, possibly bypassing firewall restrictions to access internal applications. This will load the supplied URI and include it within the application response. However if we change the syntax slightly we can load an external entity which opens the ability to load remote resources. Internal entities are not usually a big deal from a security point of view. That's an internal entity in use, you can see the message in the input box at the bottom has been sent to the application and the application has outputted "Buy more Toilet Roll", showing the internal entity has been parsed. This example uses an internal entity, much like a common programming variable - to cause a chosen string to be included in the application output. When this XML is parsed the part that reads "&example " within the item node will be replaced with the value of the example entity - which is Toilet Roll. This one is "internal" as it is defined entirely within the DTD, it doesn't reference any external resources. In the above example you can see some XML is defined, with a DTD (that's the DOCTYPE line shown in bold) which defines an internal entity. Here's a simple example with an entity defined: With many parsers you can modify this content and define entities. If you have an application which processes XML you're going to see something like this: It can hold strings, so an entity can be used in XML to hold text content - or it can be used with a URI to load remote content. What's an entity? An easy way to think of entities is like a variable. The issue comes about within XML parsers where external entities are processed which can allow for URIs to be loaded. It was also often overlooked for a while - but now it features in the OWASP Top 10 as A4 it's a lot more well known. XML Entity Injection is a powerful vulnerability that can allow for confidential data theft and in rare cases command execution. Author: HollyGraceful Published: 19 October 2020