Security misconfiguration - XXE detailed

The “XML eXternal Entities” (XXE) vulnerability class is a Security Misconfiguration involving XML parsers. 

The XML standard includes ways of referencing “entities”, such as files and URLs. It’s often the default for parsers to fully resolve external entities which means that XML documents can lead to the disclosure of files and other sensitive information to potential attackers.

A simple example

Let's look a bit an example of a XML document which makes use of external entities:

xml
<?xml version="1.0" ?>
<!DOCTYPE outerElement [
   <!ENTITY externalEntity SYSTEM  "file:///etc/passwd" > ]>
<outerElement>&externalEntity;</outerElement>

First, we declare a new ‘doctype’ which defines the structure/element types that can exist within the document and be handled by the parser. 

Within it, we specify a SYSTEM-type entity called ‘externalEntity’. This entity points at the file ‘/etc/passwd’. 

Following the ‘doctype’ definition, we have our actual XML data. We define an ‘outerElement’ and then we add a reference (denoted by the ‘&’) to the ‘externalEntity’ entity. 

At this point, the interpreter will look up the entity definition and resolve the URL defined and put in place of the ‘&externalEntity;’.

At the end of the parsing process, we end up with a document that looks like this:

xml
<?xml version="1.0" ?>
<outerElement>
    root:x:0:0:root:/root:/usr/bin/zsh
    daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
    bin:x:2:2:bin:/bin:/usr/sbin/nologin
    ....
</outerElement>

Mitigation

The need and the specifics of how to fully protect against XXE is heavily dependent on the language, framework, and version there-of. 

Each combination will often allow for disabling some aspects of the parser that may prevent the resolution of files, but not HTTP paths. Or it may still allow for the expansion of entities, which by itself can lead to a Denial of Service vulnerability. 

.NET

If you’re running .NET 4.5.1 or below, following classes are vulnerable by default:

  • XmlDocument (Disable with ‘xmlDocument.XmlResolver = null;’)
  • XmlTextReader (Disable with ‘xmlTextReader.ProhibitDtd = true;’)
  • XPathNavigator

check

Secure Code Warrior Learning Platform

Discover the Secure Code Warrior Learning Platform

We secure software through developer-driven security at the start of the software development lifecycle.

Visit Secure Code Warrior