XML EXTERNAL ENTITIES

XML external entity injection (also known as XXE) is a web security vulnerability that allows an
attacker to interfere with an application's processing of XML data. It often allows an attacker to view
files on the application server filesystem, and to interact with any back end or external systems that
the application itself can access.

DESCRIPTION

XML documents can contain entities that are defined within the DOCTYPE header
and have the power to access remote external systems or local content found within the
server hosting the net application and XML parser. When the web application parses the
XML document, it has power to switch the entity with the value that is specified. This XML
Scheme Definition or Document Type Definitions are used to validate XML documents by
declaring what type of document will be defined that the parser knows the way to process it.
the difficulty here is that although DTDs are an older legacy way of defining the kind of
document getting used before it is processed, it is still very commonly used by applications
and may even be liable to triggering XXE.

ATTACK

Attackers can make the most of the XML external entities to use this vulnerability to
utilize its external functionality. In many cases, the XXE vulnerability may also be an example
of how an attacker can leverage this misconfiguration of the XML parser essentially turning it
into a proxy server so that they can execute Server-Side Request Forgery (SSRF) attacks, and
gain access further into the intranet network or possibly connect with external public servers
from behind the firewall. An attacker can utilize the XML entities definition and SYSTEM
identifier on the XML parser to just accept maliciously crafted requests containing XML files
that are seemingly harmless to the firewall or the application because the functionality of
those services do not seem to be being directly attacked.

XXE attacks will be a serious risk to any organization and might lead to severe
consequences. the most vulnerability exists in this the XML parser parses the untrusted data
sent by any user, which may become malicious in nature. The opposite main issue is that the
majority XML parsers are prone to XML external entity attacks (XXE) because this
configuration is about by default.
MITIGATION

 Whenever possible, use fewer complex data formats like JSON, and avoid
serialization of sensitive data.

 Patch or upgrade all XML processors and libraries in use by the application or on the
underlying OS. Use dependency checkers. Update SOAP to SOAP 1.2 or higher.

 Implement positive server-side input validation, filtering, or sanitization to stop

hostile data within XML documents, headers, or nodes.

 Verify that XML or XSL file upload functionality checks incoming XML using XSD
validation or similar.

 Static Application Security Testing tools can detect XXE in source code, but manual
code review is the best alternative in complex applications with many integrations.