External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
2. XML Basics
XML is a markup language used for
Describing data.
Carry data between two nodes.
Due to its usage it became a standard for exchanging structured data in textual format
3. XML Basics
Format of XML document is defined either by Document Type Definition (DTD) or XML
Schema
A XML document is
Well Formed: if document adheres to XML syntax and specification
Valid: If document adheres to the DTD or XML Schema
A DTD defines the structure and the legal elements and attributes of an XML document,
which is defined as <!DOCTYPE name [ inner elements ]>
With a DTD, independent groups of people can agree on a standard DTD for interchanging
data.
5. XML Basics
XML Schema contains the definition of data structure
6. XML Basics
XML Parsers validates the document and check that the document is well formatted
XML Parser is designed to read the XML and create a way for programs to use XML.
7. XML Attacks
Basic Architecture on where XML Attacks are performed
Browser / Back-end applicationBrowser
XXE
XML / Fragment Injection
8. Identification Point of XXE
Entities in XML
Entities are used to define shortcuts to special characters.
Entities can be declared internal or external.
Syntax for defining Entities
<!ENTITY entity-name "entity-value">
<!ENTITY entity-name SYSTEM "URI/URL">
There are two ways for identifying XXE
If an input xml parameter is reflecting back in response
Parser error messages
10. Impact of XXE
Denial of Service (DoS)
Remote Code Execution (RCE)
Cross Site Port Attack (XSPA)
Cross Site Scripting (XSS)
11. Mitigation
The safest way to prevent XXE is always to disable DTDs (External Entities) completely.
Depending on the parser, the method should be similar to the following:
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
For language or parser specific mitigation below link can be referred.
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
12. Reference links, documents for R&D
https://www.owasp.org/images/5/5d/XML_Exteral_Entity_Attack.pdf
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
https://phonexicum.github.io/infosec/xxe.html (WAF BYPASS and other advanced
techniques)
https://www.vsecurity.com//download/papers/XMLDTDEntityAttacks.pdf