APPLICATION SECURITY

A4-XML External Entities (XXE)

 A4-XML External Entities (XXE)
XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker
to interfere with an application's processing of XML data. XXE Injection is a vulnerability that occurs
when the application attempts to parse the XML which has references to external links in Entity section of
XML.
Weekness: Many older XML processors allow specification of an external entity, a URI that is
dereferenced and evaluated during XML processing.
Impact: An attacker can escalate an XXE attack to compromise the underlying server or other back-end
infrastructure. This vulnerability can be used to:
 Extract data
 Execute a remote request from the server
 Scan internal systems
 Denial-of-service attack
 Possible execute other attacks.
 SSRF(Server-Side Request Forgery)

 XML-eXtended Markup Language

 XML entities are the items of data within an XML document
 A4-XML External Entities (XXE)
XXE scenarios:
If the application accepts XML directly or XML uploads, especially from untrusted
sources, or inserts untrusted data into XML documents, which is then parsed by an XML
processor.

The attacker attempts to extract data from the server:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>

An attacker probes the server’s private network by changing the above ENTITY line
to:
<!ENTITY xxe SYSTEM "https://192.168.1.1/private" >]>

An attacker attempts a denial-of-service attack by including a potentially endless file:
<!ENTITY xxe SYSTEM "file:///dev/random" >]>
 How to detect?


If the XML files are internally stored, then review
the files and processing method


If the XML file is uploaded by the user, be strict
to verify the acceptable file format, length and
processor.
 A4-XML External Entities (XXE)
Remedies


Restrict the content type and length

Use less complex data formats such as JSON and avoiding serialization of sensitive data.

Patch or upgrade all XML processors and libraries in use by the application or on the underlying
operating system. Use dependency checkers. Update SOAP to SOAP 1.2 or higher.

Disable XML external entity and DTD processing in all XML parsers in the application

Implement positive ("whitelisting") server-side input validation, filtering, or sanitization to prevent
hostile data within XML documents, headers, or nodes.

Verify that XML or XSL file upload functionality validates incoming XML using XSD validation or
similar.


If these controls are not possible, consider using virtual patching, API security gateways, or Web
Application Firewalls (WAFs) to detect, monitor to block XXE attacks.

SOAP(Simple Object Access Protocol): It is a messaging protocol specification for exchanging structured
information in the implementation of web services in computer networks.

DTD(Document Type Definition): It defines the document structure with a list of validated elements and
attributes.
A4-XML External Entities (XXE)

?