Task 1 of 4

How Researchers Read Amazon's Internal Systems with One XML Tag

In 2019, a security researcher submitted a report to an enterprise software vendor's bug bounty program. The target was a document processing API that accepted XML-formatted files. With a single specially crafted XML payload, the researcher was able to read internal server files, including configuration files that contained AWS credentials — granting access to the company's cloud infrastructure.

The vulnerability? XML External Entity injection (XXE). The API parsed XML documents without disabling external entity resolution — a feature of the XML specification that, when left enabled, lets XML documents fetch and embed content from external sources, including the local filesystem.

REAL WORLD XXE BUGS
Google XXE — $10,000
XXE in Google's Toolbar Button Gallery — allowed reading internal server files
PayPal XXE — $10,000
XXE in PayPal's document processing endpoint — server-side request forgery to internal services
Uber XXE — $5,000
XXE in Uber's HR document upload feature — file disclosure on internal servers
Facebook XXE — $6,000
XXE in Facebook's Word document parser — read files on facebook.com servers
Shopify XXE — $2,000
XXE in Shopify's product import XML feature — SSRF to internal AWS metadata endpoint

Where XXE hides

XXE lives anywhere an application parses XML. These are common attack surfaces:

  • File upload features — DOCX, XLSX, SVG, and PDF files are all XML-based internally
  • SOAP web services — legacy enterprise APIs that use SOAP envelopes (XML)
  • REST APIs — endpoints that accept Content-Type: application/xml
  • Document converters — invoice processors, report generators, template engines
  • Configuration imports — any feature that imports settings from an XML file
1

What file formats are internally XML-based and therefore potential XXE attack surfaces?

Answer all 1 question to continue