Doubt in XML Injection

Atharva Bet

Hello,
I was watching the security + series and couldn't understand the concept of XML injection well...From the exam point of view, can anyone help me out a little bit here?

Also, what's happening in the picture attached below?

Screenshot (443).png

Thanks

daniel-lowrie87

Greetings, @Atharva-Bet

I'm so sorry to hear that XML Injections are confusing you, but hopefully I can clear things up for you.

Web applications that use and parse XML may be vulnerable to XML External Entities(XXE) attacks which can allow an attacker to read server files, perform Denial-of-Service(DoS) attacks, and even in some instances perform Remote Command Execution(RCE).

OK, so now we know what CAN occur, let's talk about WHY/HOW it could occur.

The problem lies with the XML Parser. If the Parser allows you to declare your own External Entities for the Document Type Definitions, or DTDs, and trusts that those Entities are safe, then you can probably pull off some or all of these attacks by injecting your own malicious Entities.

An External Entity basically defines an object that will be used by the application. This will be defined using XML and passed to the web app when you

request web pages from it (eg you request a 'product list' page),

or

pass data to it (eg you change the website's default language from English to French).

The original request might look something like this...

<language>
<value>&french;</value>
</language>

The malicious request might look like this...

<?xml version=”1.0"?>
<!DOCTYPE attack [
  <!ENTITY xxe SYSTEM “file:///etc/passwd >
]>
<language>
  <value>&xxe;</value>
</language>

If this External Entity is accepted and parsed by the Parser, then it will execute a file read of the server's 'passwd' file and return that output to the web page allowing the attacker to view its contents.

You're most likely not going to get asked to answer questions on the Security+ exam about XML Injections that go into that much detail, (Wes will know the expected knowledge level better than I), but at least you now have some idea of what this looks like practically.

I hope this helps.

Daniel