A4:2017-XML External Entities (XXE)
Learn how to prevent XXE. Proper training, upgrading processors, and validation are essential steps. Detect and block XXE attacks effectively.
Overview
XML External Entities (XXE) is a security vulnerability that allows an attacker to exploit vulnerable XML processors by uploading XML or including hostile content in an XML document. This can lead to data extraction, remote requests from the server, scanning internal systems, denial-of-service attacks, and other malicious activities.
Description
XXE vulnerabilities can occur if the application accepts XML directly or XML uploads from untrusted sources, inserts untrusted data into XML documents, or uses XML processors with enabled document type definitions (DTDs). Applications that use SAML or SOAP versions prior to 1.2 may also be vulnerable to XXE attacks. To prevent XXE, developers should receive proper training, use less complex data formats like JSON, patch or upgrade XML processors and libraries, disable XML external entity and DTD processing, implement server-side input validation, and verify the validation of incoming XML files. SAST tools and manual code review can help detect XXE vulnerabilities, and virtual patching, API security gateways, or Web Application Firewalls (WAFs) can be used for detection, monitoring, and blocking of XXE attacks.
How to Prevent ?
To prevent XXE vulnerabilities, developers should receive proper training, use less complex data formats such as JSON, and avoid serialization of sensitive data. They should also patch or upgrade all XML processors and libraries, disable XML external entity and DTD processing in all XML parsers, implement server-side input validation and filtering, and verify the validation of incoming XML files. SAST tools and manual code review can be used to detect XXE in source code, and virtual patching, API security gateways, or WAFs can be used for detection, monitoring, and blocking of XXE attacks.
Example Attack Scenarios:
Scenario #1: Data Extraction: The attacker attempts to extract data from the server by uploading a malicious XML file that includes the following ENTITY line: <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <foo>&xxe</foo>
Scenario #2: Probing the Server's Private Network: The attacker probes the server's private network by changing the ENTITY line in the malicious XML file to: <!ENTITY xxe SYSTEM "https://192.168.1.1/private" >]
Scenario #3: Denial-of-Service Attack: The attacker attempts a denial-of-service attack by including a potentially endless file in the malicious XML file: <!ENTITY xxe SYSTEM "file:///dev/random" >]