SlideShare a Scribd company logo

XML External Entity (XXE)

Download as PPTX, PDF
J
Jay Thakker

External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.

Technology
1 of 13
XML External Entity (XXE) -Jay Thakker Associate IS Analyst
XML Basics  XML is a markup language used for  Describing data.  Carry data between two nodes.  Due to its usage it became a standard for exchanging structured data in textual format
XML Basics  Format of XML document is defined either by Document Type Definition (DTD) or XML Schema  A XML document is  Well Formed: if document adheres to XML syntax and specification  Valid: If document adheres to the DTD or XML Schema  A DTD defines the structure and the legal elements and attributes of an XML document, which is defined as <!DOCTYPE name [ inner elements ]>  With a DTD, independent groups of people can agree on a standard DTD for interchanging data.
XML Basics Order.dtd Order.xml
XML Basics  XML Schema contains the definition of data structure
XML Basics  XML Parsers validates the document and check that the document is well formatted  XML Parser is designed to read the XML and create a way for programs to use XML.
XML Attacks  Basic Architecture on where XML Attacks are performed Browser / Back-end applicationBrowser XXE XML / Fragment Injection
Identification Point of XXE  Entities in XML  Entities are used to define shortcuts to special characters.  Entities can be declared internal or external.  Syntax for defining Entities  <!ENTITY entity-name "entity-value">  <!ENTITY entity-name SYSTEM "URI/URL">  There are two ways for identifying XXE  If an input xml parameter is reflecting back in response  Parser error messages
Demo
Impact of XXE  Denial of Service (DoS)  Remote Code Execution (RCE)  Cross Site Port Attack (XSPA)  Cross Site Scripting (XSS)
Mitigation  The safest way to prevent XXE is always to disable DTDs (External Entities) completely. Depending on the parser, the method should be similar to the following: factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);  For language or parser specific mitigation below link can be referred. https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
Reference links, documents for R&D  https://www.owasp.org/images/5/5d/XML_Exteral_Entity_Attack.pdf  https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing  https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet  https://phonexicum.github.io/infosec/xxe.html (WAF BYPASS and other advanced techniques)  https://www.vsecurity.com//download/papers/XMLDTDEntityAttacks.pdf
Thank You

Recommended

XXE - XML External Entity Attack
XXE - XML External Entity Attack XXE - XML External Entity Attack
XXE - XML External Entity Attack Cysinfo Cyber Security Community
 
XXE
XXEXXE
XXEn|u - The Open Security Community
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)Michael Furman
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath InjectionsAMol NAik
 
XML DTD and Schema
XML DTD and SchemaXML DTD and Schema
XML DTD and Schemahamsa nandhini
 
XML Introduction
XML IntroductionXML Introduction
XML IntroductionBikash chhetri
 
Attack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationAttack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationSukhpreet Singh
 
03 namespace
03 namespace03 namespace
03 namespaceBaskarkncet
 

Recommended

XXE - XML External Entity Attack
XXE - XML External Entity Attack XXE - XML External Entity Attack
XXE - XML External Entity Attack Cysinfo Cyber Security Community
 
XXE
XXEXXE
XXEn|u - The Open Security Community
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)Michael Furman
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath InjectionsAMol NAik
 
XML DTD and Schema
XML DTD and SchemaXML DTD and Schema
XML DTD and Schemahamsa nandhini
 
XML Introduction
XML IntroductionXML Introduction
XML IntroductionBikash chhetri
 
Attack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationAttack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationSukhpreet Singh
 
03 namespace
03 namespace03 namespace
03 namespaceBaskarkncet
 
Hands-On XML Attacks
Hands-On XML AttacksHands-On XML Attacks
Hands-On XML AttacksToe Khaing
 
Xml
XmlXml
XmlDr. C.V. Suresh Babu
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrfn|u - The Open Security Community
 
XML
XMLXML
XMLMukesh Tekwani
 
Ssrf
SsrfSsrf
SsrfIlan Mindel
 
Javascript - Tutorial
Javascript - TutorialJavascript - Tutorial
Javascript - Tutorialadelaticleanu
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop Ivan Novikov
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
Xml namespace
Xml namespaceXml namespace
Xml namespaceGayathriS578276
 
XML
XMLXML
XMLDaminda Herath
 
Sql injection
Sql injectionSql injection
Sql injectionMehul Boghra
 
Thick Client Testing Basics
Thick Client Testing BasicsThick Client Testing Basics
Thick Client Testing BasicsNSConclave
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassCODE WHITE GmbH
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a JediYaroslav Babin
 
JavaScript - Chapter 11 - Events
JavaScript - Chapter 11 - Events JavaScript - Chapter 11 - Events
JavaScript - Chapter 11 - Events WebStackAcademy
 
PHP file handling
PHP file handling PHP file handling
PHP file handling wahidullah mudaser
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
distributed system concerned lab sessions
distributed system concerned lab sessionsdistributed system concerned lab sessions
distributed system concerned lab sessionsmilkesa13
 
Xml schema
Xml schemaXml schema
Xml schemaAkshaya Akshaya
 

More Related Content

What's hot

Hands-On XML Attacks
Hands-On XML AttacksHands-On XML Attacks
Hands-On XML AttacksToe Khaing
 
Javascript - Tutorial
Javascript - TutorialJavascript - Tutorial
Javascript - Tutorialadelaticleanu
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
Thick Client Testing Basics
Thick Client Testing BasicsThick Client Testing Basics
Thick Client Testing BasicsNSConclave
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassCODE WHITE GmbH
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a JediYaroslav Babin
 
JavaScript - Chapter 11 - Events
JavaScript - Chapter 11 - Events JavaScript - Chapter 11 - Events
JavaScript - Chapter 11 - Events WebStackAcademy
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 

What's hot (20)

Hands-On XML Attacks
Hands-On XML AttacksHands-On XML Attacks
Hands-On XML Attacks
 
Xml
XmlXml
Xml
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
 
XML
XMLXML
XML
 
Ssrf
SsrfSsrf
Ssrf
 
Javascript - Tutorial
Javascript - TutorialJavascript - Tutorial
Javascript - Tutorial
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
 
Xml namespace
Xml namespaceXml namespace
Xml namespace
 
XML
XMLXML
XML
 
Sql injection
Sql injectionSql injection
Sql injection
 
Thick Client Testing Basics
Thick Client Testing BasicsThick Client Testing Basics
Thick Client Testing Basics
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a Jedi
 
JavaScript - Chapter 11 - Events
JavaScript - Chapter 11 - Events JavaScript - Chapter 11 - Events
JavaScript - Chapter 11 - Events
 
PHP file handling
PHP file handling PHP file handling
PHP file handling
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 

Similar to XML External Entity (XXE)

distributed system concerned lab sessions
distributed system concerned lab sessionsdistributed system concerned lab sessions
distributed system concerned lab sessionsmilkesa13
 
Document type definition
Document type definitionDocument type definition
Document type definitionRaghu nath
 
XML Validations.ppt
XML Validations.pptXML Validations.ppt
XML Validations.pptssuser28ff7f
 
XML Presentation-2
XML Presentation-2XML Presentation-2
XML Presentation-2Sudharsan S
 
Xml dtd- Document Type Definition- Web Technology
Xml dtd- Document Type Definition- Web TechnologyXml dtd- Document Type Definition- Web Technology
Xml dtd- Document Type Definition- Web TechnologyRajan Shah
 
Applied xml programming for microsoft 3
Applied xml programming for microsoft 3Applied xml programming for microsoft 3
Applied xml programming for microsoft 3Raghu nath
 
Enhanced xml validation using srml01
Enhanced xml validation using srml01Enhanced xml validation using srml01
Enhanced xml validation using srml01IJwest
 
Xml and xml processor
Xml and xml processorXml and xml processor
Xml and xml processorHimanshu Soni
 
Xml and xml processor
Xml and xml processorXml and xml processor
Xml and xml processorHimanshu Soni
 

Similar to XML External Entity (XXE) (20)

distributed system concerned lab sessions
distributed system concerned lab sessionsdistributed system concerned lab sessions
distributed system concerned lab sessions
 
Xml schema
Xml schemaXml schema
Xml schema
 
Xml sasidhar
Xml sasidharXml sasidhar
Xml sasidhar
 
Document type definition
Document type definitionDocument type definition
Document type definition
 
XML-Unit 1.ppt
XML-Unit 1.pptXML-Unit 1.ppt
XML-Unit 1.ppt
 
uptu web technology unit 2 Xml2
uptu web technology unit 2 Xml2uptu web technology unit 2 Xml2
uptu web technology unit 2 Xml2
 
WEB PROGRAMMING
WEB PROGRAMMINGWEB PROGRAMMING
WEB PROGRAMMING
 
XML Validations.ppt
XML Validations.pptXML Validations.ppt
XML Validations.ppt
 
XML Presentation-2
XML Presentation-2XML Presentation-2
XML Presentation-2
 
Xml dtd- Document Type Definition- Web Technology
Xml dtd- Document Type Definition- Web TechnologyXml dtd- Document Type Definition- Web Technology
Xml dtd- Document Type Definition- Web Technology
 
Xml
XmlXml
Xml
 
Intro to xml
Intro to xmlIntro to xml
Intro to xml
 
IT6801-Service Oriented Architecture- UNIT-I notes
IT6801-Service Oriented Architecture- UNIT-I notesIT6801-Service Oriented Architecture- UNIT-I notes
IT6801-Service Oriented Architecture- UNIT-I notes
 
Xml3
Xml3Xml3
Xml3
 
Applied xml programming for microsoft 3
Applied xml programming for microsoft 3Applied xml programming for microsoft 3
Applied xml programming for microsoft 3
 
Xml
XmlXml
Xml
 
Xml
XmlXml
Xml
 
Enhanced xml validation using srml01
Enhanced xml validation using srml01Enhanced xml validation using srml01
Enhanced xml validation using srml01
 
Xml and xml processor
Xml and xml processorXml and xml processor
Xml and xml processor
 
Xml and xml processor
Xml and xml processorXml and xml processor
Xml and xml processor
 

Recently uploaded

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 

Recently uploaded (20)

E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 

XML External Entity (XXE)

  • 1. XML External Entity (XXE) -Jay Thakker Associate IS Analyst
  • 2. XML Basics  XML is a markup language used for  Describing data.  Carry data between two nodes.  Due to its usage it became a standard for exchanging structured data in textual format
  • 3. XML Basics  Format of XML document is defined either by Document Type Definition (DTD) or XML Schema  A XML document is  Well Formed: if document adheres to XML syntax and specification  Valid: If document adheres to the DTD or XML Schema  A DTD defines the structure and the legal elements and attributes of an XML document, which is defined as <!DOCTYPE name [ inner elements ]>  With a DTD, independent groups of people can agree on a standard DTD for interchanging data.
  • 5. XML Basics  XML Schema contains the definition of data structure
  • 6. XML Basics  XML Parsers validates the document and check that the document is well formatted  XML Parser is designed to read the XML and create a way for programs to use XML.
  • 7. XML Attacks  Basic Architecture on where XML Attacks are performed Browser / Back-end applicationBrowser XXE XML / Fragment Injection
  • 8. Identification Point of XXE  Entities in XML  Entities are used to define shortcuts to special characters.  Entities can be declared internal or external.  Syntax for defining Entities  <!ENTITY entity-name "entity-value">  <!ENTITY entity-name SYSTEM "URI/URL">  There are two ways for identifying XXE  If an input xml parameter is reflecting back in response  Parser error messages
  • 10. Impact of XXE  Denial of Service (DoS)  Remote Code Execution (RCE)  Cross Site Port Attack (XSPA)  Cross Site Scripting (XSS)
  • 11. Mitigation  The safest way to prevent XXE is always to disable DTDs (External Entities) completely. Depending on the parser, the method should be similar to the following: factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);  For language or parser specific mitigation below link can be referred. https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
  • 12. Reference links, documents for R&D  https://www.owasp.org/images/5/5d/XML_Exteral_Entity_Attack.pdf  https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing  https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet  https://phonexicum.github.io/infosec/xxe.html (WAF BYPASS and other advanced techniques)  https://www.vsecurity.com//download/papers/XMLDTDEntityAttacks.pdf