Saturday, July 20, 2024

Understanding and Mitigating XXE Vulnerabilities via File Uploads

In this post, I will peel back the layers of XXE (XML External Entity) injections, exploring their mechanisms and impacts on application security. We’ll dig deep into how this pervasive vulnerability can be exploited, specifically focusing on a scenario involving file uploads. I shall break down the intricate process of XXE exploitation, and shed light on preventative measures and best security practices to counteract such attacks. The goal of this post is to equip you with a robust understanding of the XXE threat landscape, along with practical knowledge to help strengthen your application security strategies.

Defining XXE

CWE-611: Improper Restriction of XML External Entity Reference

XML External Entity or XXE, is a type of security vulnerability that primarily affects applications parsing XML inputs. An XXE vulnerability arises when the XML parser doesn’t conduct input validation and indiscriminately processes any instructions it receives. This lapse allows an attacker to view files on the application server’s file system and interact with any backend system or application. Furthermore, XXE can also be utilized to perform SSRF (Server Side Request Forgery) against backend systems, thereby amplifying the potential threat.

Diverse XXE Attack Types

XXE attacks come in various forms, with the following being some of the most common ones:

  1. XXE exploited to retrieve files from the server.
  2. XXE leveraged to perform SSRF on backend systems.
  3. Blind XXE used for out-of-band data exfiltration.

For the purposes of this discussion, our primary focus will be on utilizing XXE to retrieve files from the server.

Recommended:  A Beginner's Guide to Visual Studio Code: Interface, Features, Keyboard Shortcuts and More

XXE Exploitation via File Upload using SVG

One of the most common attack scenarios involves using XXE to retrieve files from a system. Now, let’s turn our attention to a scenario where an application allows users to upload SVG (Scalable Vector Graphics) files. SVG files, which define graphics in XML format, create a multitude of attack scenarios. One such scenario includes exploiting XXE vulnerabilities. If there’s no server-side verification of content or commands when an SVG image is uploaded from the client side, an attacker can potentially execute malicious commands to extract internal details, such as fetching the “/etc/passwd” file.

To illustrate, let’s craft a request to fetch the “/etc/passwd” file from the server.

Crafting a Malicious SVG File

To create a malicious SVG file, we start by defining the XML version. Next, we can include our custom payload along with some attributes such as height, width, and font size. Below is an example payload:

<?xml version="1.0" standalone="yes"?>
<!DOCTYPE foo [ <!ENTITY fetch SYSTEM "file:///etc/passwd">]>
<svg width="128px" height="128px" xmlns=""
xmlns:xlink="" version="1.1">
<text font-size=“23" x=“8" y=“28">&fetch;</text>

This payload includes an ENTITY instruction that attempts to fetch the contents of “/etc/passwd” from the server. Additionally, it contains a text element, which determines the font size of the characters fetched. In most systems you can obivously modify the font size as required.

from the “/etc/passwd” file. It’s crucial to adjust the font size according to the specific situation as illegible text can hinder the execution of the attack. Once the file is ready, it can be saved as “image.svg” and uploaded.

Exploitation in Action

After uploading the file to an application without sufficient validation, inspecting your uploaded SVG will reveal the contents of the “/etc/passwd” file, thus demonstrating successful exploitation of the XXE vulnerability.

Recommended:  British Army ’s Twitter, YouTube accounts were compromised to promote crypto scams

Remediation Strategies

Ensuring secure file uploads is a fundamental aspect of maintaining the security integrity of your application. If your application enables users to upload image files, one of the initial security measures you should consider is whitelisting only the required file extensions.

Whitelisting involves specifying a list of acceptable file extensions that users are allowed to upload, thereby limiting the types of files that can be uploaded to your application. This is a critical security practice, as it helps prevent attackers from uploading potentially malicious files that could compromise your system. For example, only allowing file extensions such as “.jpg”, “.png”, or “.gif” for image uploads can prevent attackers from uploading script files or executables that could be used to exploit vulnerabilities in your application.

On the other hand, if your application needs to accept SVG (Scalable Vector Graphics) files due to business requirements, additional precautions should be taken. SVG files define graphics in XML format, which opens potential attack vectors such as the execution of XXE (XML External Entity) attacks, as detailed earlier in this article.

In this case, you should consider implementing stringent restrictions and validation mechanisms to prevent unvalidated processing of instructions contained in these files. This could involve, for instance, deploying XML parsers configured to disable the processing of DTDs (Document Type Definitions), a key factor in XXE attacks.

Moreover, server-side validation is essential, despite any client-side checks. Never rely solely on client-side validation because it can be easily bypassed. A robust server-side validation process will further ensure that only safe and expected content is allowed through, increasing your application’s resilience against XXE attacks.

Recommended:  Fake copyright infringement emails install LockBit ransomware

Implementing content scanning and file type verification can also enhance your security posture. Scanning uploaded files for known malicious patterns and verifying that the file’s content matches its stated file type can help detect and block harmful uploads.

tldr; managing file uploads securely requires a balance between user functionality and security. Whitelisting necessary file extensions, employing robust server-side validation, and implementing additional restrictions for SVG files are essential practices to mitigate the risks associated with file uploads.

Want more? For further information on XXE vulnerabilities, I’d recommend checking out PortSwigger’s comprehensive guide on XXE which also has some awesome labs to get your hands dirty in.

Final Thoughts

Understanding and mitigating XXE vulnerabilities is a crucial aspect of ensuring the security of Web Applications. As I’ve demonstrated in this post, a seemingly innocuous function like file upload can be exploited to create substantial security risks. With thorough awareness and proactive remediation strategies, it’s possible to minimize these risks and protect your applications effectively.

Suggest an edit to this article

Check out our new Discord Cyber Awareness Server. Stay informed with CVE Alerts, Cybersecurity News & More!

Cybersecurity Knowledge Base


Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates