XXE Injection Attack Tutorial (2018)


XXE Injection attacks is a type of injection attack that takes place when parsing XML data. An XXE attack takes place when XML input contains a reference to an external entity and is processed by a weakly configured XML parser. The XXE attack can lead to disclosure of confidential data, denial of service, server side request forgery, port scanning of the machine parsing the XML data, and command execution.

Since the XXE injection attack occurs relative to the application processing the XML document, an attacker may use this trusted application to pivot to other internal systems, possibly disclosing other internal content via http(s) requests or launching a CSRF attack to any unprotected internal services. In some situations, an XML processor library that is vulnerable to client-side memory corruption issues may be exploited by dereferencing a malicious URI, possibly allowing arbitrary code execution under the application account. Other XXE injection attacks can access local resources that may not stop returning data, possibly impacting application availability if too many threads or processes are not released.

Note that the application does not need to explicitly return the response to the attacker for it to be vulnerable to information disclosures. An attacker can leverage DNS information to exfiltrate data through subdomain names to a DNS server that they control.

Risk Factors:
- The application parses XML documents.
-Tainted data is allowed within the system identifier portion of the entity, within the document type declaration (DTD).
- The XML processor is configured to validate and process the DTD.
- The XML processor is configured to resolve external entities within the DTD.

Stop XXE Injection Attack: https://www.owasp.org/index.php/XML_E...

This video content has been made available for informational and educational purposes only. The content within this video is meant to educate viewers on cyber security topics, methodologies, and tactics to better protect against cyber security threats. Don't be evil.

XXE Injection Attack Tutorial (2018) XXE Injection Attack Tutorial (2018) Reviewed by Anonymous on December 18, 2018 Rating: 5