OWASP : XML External Entities Attacks
XML external entity injection, also referred to as XXE attacks, is one amongst the foremost common security vulnerabilities in web applications, APIs, and microservices. It allows hackers to handle an application’s processing of XML data.
By performing an XXE Injection, attackers can view files on the application server filing system, or interact with any backend external systems that the application itself can access.
In some cases, hackers can even cause Denial of Service (DoS) and drag an XXE attack to compromise the underlying server or other backend infrastructure, by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attack.
What is XML ?
Extensible markup language (XML) was originally created to be used among publishing services but has now become a preferred way for various varieties of applications to exchange data among one another and is usually used in many situations more than HTML for data interchange. This has made XML an extremely popular format that’s implemented in many varieties of web applications, services, and documents. this enables two systems running different technologies to speak and exchange data. so as for XML data to be interpreted, the applications need some kind of XML parser or XML processor that’s capable of understanding its format to either transfer the data to a different format or just output the result.
Impact & Risk
XXE vulnerabilities are within the category of injection attacks, which are kind of like command injection (e.g. bash language injection) and SQL injection (i.e. SQL database language). within the case of XXE, the attack is specializing in the XML language which provides the chance for an attacker to use the backend system running the application that’s liable for parsing or interpreting the XML documents. The external entities vulnerability can even be very similar to Local File Inclusion (LFI) and Remote File Inclusion (RFI) exploits where an attacker can access local system files or remotely access items that an attacker chooses the application to dynamically include like external files or scripts.
The XXE flaw can allow an attacker to make the XML parser turn into a proxy which allows local and remote content to be served on request. altogether these varieties of attacks the main issue is that proper input sanitization has not been performed, which allows the attacker to execute malicious commands on the vulnerable server. additionally, the XML “external entities” are typically supported by default which allows the probability of this kind of attack occurring in many production environments.
What are XML External Entities ?
XML documents can contain “entities” that are defined within the DOCTYPE header and have the power to access remote external systems or local content found within the server hosting the net application and XML parser. When the web application parses the XML document, it has power to switch the “entity” with the value that’s specified. This XML Scheme Definition (XSD, newer) or Document Type Definitions (DTD, legacy) are used to validate XML documents by declaring what type of document will be defined that the parser knows the way to process it. the difficulty here is that although DTDs are an older legacy way of defining the kind of document getting used before it’s processed, it’s still very commonly used by applications and may even be liable to triggering XXE.
XXE Attack Scenario
Attackers can make the most of the XML external entities to use this vulnerability to utilize its external functionality. In many cases, the XXE vulnerability may also be an example of how an attacker can leverage this misconfiguration of the XML parser essentially turning it into a proxy server so that they can execute Server-Side Request Forgery (SSRF) attacks, and gain access further into the intranet network or possibly connect with external public servers from behind the firewall. An attacker can utilize the XML entities definition and SYSTEM identifier on the XML parser to just accept maliciously crafted requests containing XML files that are seemingly harmless to the firewall or the application because the functionality of those services don’t seem to be being directly attacked. In the above figure the attack flow for XXE vulnerability is given.
Remediation
XXE attacks will be a serious risk to any organization and might lead to severe consequences. the most vulnerability exists in this the XML parser parses the untrusted data sent by any user, which may become malicious in nature. The opposite main issue is that the majority XML parsers are prone to XML external entity attacks (XXE) because this configuration is about by default.
Therefore, the simplest solution would be to configure the XML processor to use a local static DTD and disallow any declared DTD included within the XML document. The only and safest way to prevent XXE attacks is to completely disable Document Type Definitions (DTDs) altogether, especially if they’re not essential to the application’s functionality. Detailed guidance on the way to disable XXE processing, or otherwise defend against XXE attacks is presented within the XML External Entity (XXE) Prevention Cheat Sheet.
- Whenever possible, use less complex data formats like JSON, and avoid serialization of sensitive data.
- Patch or upgrade all XML processors and libraries in use by the application or on the underlying OS. Use dependency checkers. Update SOAP to SOAP 1.2 or higher.
- Implement positive server-side input validation, filtering, or sanitization to stop hostile data within XML documents, headers, or nodes.
- Verify that XML or XSL file upload functionality checks incoming XML using XSD validation or similar.
- Static Application Security Testing tools can detect XXE in source code, but manual code review is the best alternative in complex applications with many integrations.
