Vulnerability 1: Security

Misconfiguration
OWASP – A5
Security Misconfiguration
• Security misconfiguration in web apps refers to a situation where a web application’s
security settings are not properly configured or are missing critical security controls, leaving
it vulnerable to attacks. This can occur due to various reasons such as:
1. Inadequate configuration of access controls: If the application does not have proper access
controls, unauthorized users may be able to gain access to sensitive data or functionality.
2. Insufficient encryption: If the application does not use adequate encryption mechanisms,
sensitive data such as passwords and credit card numbers can be intercepted and stolen.
3. Outdated software: Failing to keep software up-to-date can leave vulnerabilities open to
exploitation by attackers.
4. Default settings left unchanged: Leaving default settings unchanged can provide an easy
entry point for attackers, as these settings are often well-known and easily exploitable.
5. Inadequate logging and monitoring: If the application does not have proper logging and
monitoring mechanisms in place, security incidents may go undetected or unreported.
XXE Attack in Focus
The XXE (XML External Entity) attack is a type of injection
vulnerability that occurs when an application processes XML input in a
way that allows an attacker to inject external entities into the XML
document. This can lead to the disclosure of sensitive data, execution of
arbitrary code, or even remote code execution.
• Here’s how it works:
1.An attacker sends an XML request to the vulnerable application.
2.The application processes the XML request and attempts to resolve any
external entities (e.g., URLs, files) referenced in the XML document.
3.The attacker injects a malicious XXE entity into the XML document, which is
then processed by the application.
Goals
• The user should have basic knowledge of XML
• The user will understand how XML parsers work
• The user will learn to perform an XXE attack and how to protected
against it.
What is an XML entity?
An XML Entity allows tags to be defined
that will be replaced by content when the
XML Document is parsed. In general
there are three types of entities:
•internal entities
•external entities
•parameter entities.
What is an XXE injection?
XML External Entity attack: a type of attack on an app that parses XML input.
Weakly configured parsers can lead to data disclosure, denial-of-service, and other
system impacts.
Attacks can reveal sensitive files (e.g., passwords, user data) using file references in
system identifiers. An attacker can use the vulnerable app to access other internal
systems and data via HTTP requests or launch CSRF attacks. Additionally, vulnerable
XML libraries may allow arbitrary code execution or exhaust local resources,
impacting application availability.

• In general we can distinguish the following kind of XXE attacks:

• Classic: in this case an external entity is included in a local DTD
• Blind: no output and or errors are shown in the response
• Error: try to get the content of a resource in the error message
XXE
• Let’s look at an example of an XXE injection, in the previous section
we saw that XML entities can be used as follows:
External DTD Declaration
• Defining these entities also makes it possible to define another DTD in • and the email.dtd can be defined as follows:
an external file, for example:
XML Parser
• If a XML parser is configured to allow external
DTD or entities we can change the following
XML snippet with the following:

• Now what happens? We defined an include from

the local filesystem, the XML parser will load
the file and will add the contents wherever the
entity is referenced. Let’s assume the XML
message is returned to the user the message will
be:
XXE Mitigation
• In order to protect against XXE attacks you need to make sure you
validate the input received from an untrusted client. In the Java world
you can also instruct your parser to ignore DTD completely, for
example:
XMLInputFactory xif = XMLInputFactory.newFactory();
xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
• if you are not able to completely switch off the DTD support, you can
also instruct the XML parser to ignore external entities, like:
XMLInputFactory xif = XMLInputFactory.newFactory();
xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES,
false); xif.setProperty(XMLInputFactory.SUPPORT_DTD, true);