In this post, I would like to share about XML Injection Attack that might be useful for some scenarios. For those who are not familiar with XML Injection attack, XML Injection is an method that been used by the attacker to manipulate or exploit the logic of any XML Application or Service that resides in.

By doing an XML Injection, the attacker can usually cause the application or message to compromise with any insertion of malicious content. This will be compromised by dereferenced from the XML processor (can read my previous post about this here).

Below are the example of XML Injection Code that can be found resides within a vulnerable website:

Besides an example above, there can also be code such as <!ELEMENT> and <!ENTITY> where it’s a common structure of XML formating.

For the attack, we can use the CDATA as our payload which will inject an illegal character that normally been ignored by XML parsers. It also can expose the website to other type of attack such as Cross-Site-Scripting(XSS)

An example of the Payload for the XSS attack would look something like follows:

<![CDATA[<IMG SRC= onmouseover=javascript:alert('XSS attack');>]]>

Other than XSS, this vulnerable also can be exploited to Remote Code Execution(RCE) if we are lucky when the developer configures the PHP “expect” modules to be downloaded.

If those are the case, we can modify the payload to ensure that RCE attack work properly.

<!DOCTYPE person [
 <!ELEMENT person (name, age)>
 <!ELEMENT name (#PCDATA)>
<!ENTITY xxe SYSTEM "<file:///etc/passwd>" >]>`&xxe;`

Source: XML Security Cheat Sheet



To be able prevent this vulnerability have a few recommendation that can be used by the developer.

  1. Avoid it by Design where choose API that different format such as JSON
  2. Need to revise any third-party source code to ensure that it has not vulnerable to any XML or XXE vulnerability
  3. The developer also need to configure and implement the system properly to ensure they have whitelisted any trusted external Document Type Declaration (DTD)

Reference: XML Security Cheat Sheet,XML External Entity (XXE) Processing