A4 - XML External Entity (Xxe) Attack: © 2020 Nexusguard Limited - Confidential & Proprietary
A4 - XML External Entity (Xxe) Attack: © 2020 Nexusguard Limited - Confidential & Proprietary
A4 - XML External Entity (Xxe) Attack: © 2020 Nexusguard Limited - Confidential & Proprietary
EXTERNAL
ENTITY (XXE)
ATTACK
Applications and in particular XML-based web services or downstream integrations might be vulnerable
to attack if:
• The application accepts XML directly or XML uploads, especially from untrusted sources, or inserts
untrusted data into XML documents, which is then parsed by an XML processor.
• If your application uses SAML for identity processing within federated security or single sign on
(SSO) purposes. SAML uses XML for identity assertions, and may be vulnerable.
• If the application uses SOAP prior to version 1.2, it is likely susceptible to XXE attacks if XML entities
are being passed to the SOAP framework.
• Being vulnerable to XXE attacks likely means that the application is vulnerable to denial of service
attacks including the Billion Laughs attack.
• Directly defining the company name, and you can reference that company to different places and that can be a repetition of the data
which can be easier to inject other data
• One of the vulnerability here is that you can nest, which means the dname is the company name, and one of the problem is that you could
nest this things arbitrarily deep, that could quickly become the problem
• This entity provides a lot of flexibility to the company that use XML, that might the company have a multiple servers and needs to provide
the data the company’s need, this entity allows the company to full-in something from another server it could be a HTTP, URI, etc…
• It also allows operating system calls, that can set/view a password file which has a privilege, any file from the server would be valid as XML
Entity
• The last example is rather that calling a data file to display in your browser, you can use a “/dev/random” potentially an endless file, and if
you try to include this on a XML file it could result to Denial of Service Attack or Buffer Overflow
• Whenever possible, use less complex data formats such as JSON, and avoiding serialization of
sensitive data.
• Patch or upgrade all XML processors and libraries in use by the application or on the underlying
operating system. Use dependency checkers. Update SOAP to SOAP 1.2 or higher.
• Disable XML external entity and DTD processing in all XML parsers in the application, as per the
OWASP Cheat Sheet 'XXE Prevention'.
• Implement positive ("whitelisting") server-side input validation, filtering, or sanitization to prevent
hostile data within XML documents, headers, or nodes.
• Verify that XML or XSL file upload functionality validates incoming XML using XSD validation or
similar.
• SAST tools can help detect XXE in source code, although manual code review is the best
alternative in large, complex applications with many integrations.
• If these controls are not possible, consider using virtual patching, API security gateways, or Web
Application Firewalls (WAFs) to detect, monitor, and block XXE attacks.