htmlsecurityxxe

Basic Working Example of an XXE Attack in HTML


I'm trying to run some tests with XXE attacks in an html page, but i'm having trouble coming up with a working example. After looking around the internet for a long time, I came up with this:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Title</title>
    <script id="embeddedXML" type="text/xml">
        <!DOCTYPE foo [
            <!ELEMENT foo ANY>
            <!ENTITY xxe SYSTEM "file:///etc/passwd">
        ]>
        <foo>&xxe;</foo>
    </script>
</head>
<body>
    <script type="application/javascript">
        alert(document.getElementById('embeddedXML').innerHTML);
    </script>
</body>
</html>

But, it doesn't work. The XML inside the script tag doesn't "run", per se, meaning that when the alert pops up, it just displays the xml as plaintext. It doesn't interpret the DOCTYPE header thing and get the information from the listed file.

It's been very hard to google around for this because apparently XML doesn't "run", but something needs to happen where this text is interpreted instead of just written out. I don't know what that thing is, or how to get it working inside an HTML page as written here.

any tips much appreciated. Thanks!


Solution

  • See OWASP

    Among the Risk Factors is:

    The application parses XML documents.

    Now, script elements are defined (in HTML 4 terms) as containing CDATA, so markup in them (except </script>) has no special meaning. So there is no XML parsing going on there.

    Meanwhile alert() deals in strings, not in markup, so there's still no XML parsing going on.

    Since you have no XML parser, there's no vulnerability.

    In general, if you want XML parsing in the middle of a web page then you need to use JavaScript (e.g. with DOM Parser but I wouldn't be surprised if it was not DTD aware and so not vulnerable (and even if it was vulnerable then it might well block access to local external entities).