Application Programming Interface (“API”) is a communication interface used by two software components. For example, news aggregator apps talk to other news outlets’ APIs and aggregate them into one mobile or web application. Lego leverages API for an online marketplace to buy and sell Lego parts. This API portal is called BrickLink. Unfortunately, a security researcher discovered an XML external entity (“XXE”) attack. This attack enables any adversary to gain access to the server and user information, with the ability to move within the internal network. This issue was reported to Lego’s security team and fixed in November 2022. This article provides a step-by-step reproduction of the attack.
How is an XXE attack performed?
After authenticating to Bricklink, the application provides a Lego wanted list functionality. The user is given an option to either upload an XML format or a file from the computer. Bricklink uses Apache’s SAX parser to process the XML data on the server when they upload the wanted list using XML format.

XXE vulnerabilities arise because the XML specification contains features such as doctype and xinclude. These power features allow applications to collect arbitrary files from servers or communicate with other servers. Bricklink’s “Upload Bricklink XML format” expects input like:

Information based on the ITEMID is retrieved and added to the wanted list. To perform an XXE injection attack and retrieve “/etc/passwd” from the server's filesystem. To perform the attack:
- Declare XML and introduce the DOCTYPE element. This DOCTYPE defines an XML ENTITY that calls SYSTEM with the file to be retrieved.
- Notice that the tag for ENTITY is named “xxe”.
- Now that the tag is defined, we call the call in either ITEMTYPE, ITEMID, or REMARK.
So the new input would look as follows:

When we click on the “Proceed to verify items” button, we get the following response:

Note that the file was retrieved, and the first line gets printed within the error message but has a partial message. This is because even the response sent by the server is an AJAX call with a trimmed response body. But by moving the response to the REMARK tag, we could view the complete file. So now our new response body looks like this:

When we clicked the “Proceed to verify items” button, we dont get any error but we could view the retrieved file under the “Remarks” tab.

How to protect from XXE attack?
All XXE vulnerabilities arise because the application's XML parsing library, including the SAX parser, supports DOCTYPE. In SAX, DOCTYPE is enabled by default as disallow-doctype-decl is set to false. However, one must ensure disallow-doctype-decl is set to true to mitigate the risk. On the other hand, the SAX parser disables xinclude processing by default. Therefore, ensure the xinclude flag is explicitly set to false.