Preventing OWASP A4 XML External Entities (XXE) in a better way

M
Michael Furman
OWASP A4 XML External Entities Anat Mazar Security Champion Michael Furman Security Architect
What will we see today? • Background - XML and XML Entities • What is an XML External Entities (XXE) attack? • Preventing an XXE attack in Java • An even better way ...
About Anat • 5+ years in software engineering • ~1 year as Security Champion at Tufin • www.linkedin.com/in/anat-mazar • I like to play board games, watch movies and travel
About Michael • 12+ years in application security • 6+ years Lead Security Architect at Tufin • www.linkedin.com/in/furmanmichael/ • ultimatesecpro@gmail.com • Read my blog https://ultimatesecurity.pro/ • Follow me on twitter @ultimatesecpro • I like to travel, read books and listen to music
About • Market Leader in Security Policy Automation • Tufin is used by >2000 enterprises – To segment networks and connect applications – On-prem networks, firewalls, cloud and K8S • We are the Security Policy Company!
What is XML? • eXtensible Markup Language https://www.w3schools.com/xml/xml_whatis.asp • Designed to store and transport data • XML tags are not predefined
What is an XML Entity? • Defines shortcuts to characters or words • Can be declared as internal, external, or predefined • Internal entity declaration: Usage: <!ENTITY entity-name "entity-value"> <element>&entity-name;</ element >
What is an XML Entity? • External entity declaration: Usage: • Predefined entities: <!ENTITY entity-name SYSTEM "system-identifier"> <element>&entity-name;</ element > &lt; &gt; &amp; &quot; &apos;
Risks Posed by XML Entities • Attacker can include potentially hostile content in an XML Entity • Read a local file • Send data out
Attacking with XML Entities • What happens during the parsing of the file? • The parser reads the local file <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:////etc/passwd" >]> <xmlroot><xmlEntry>&xxe;</xmlEntry></xmlroot>
Attacking with XML Entities • What happens during the parsing of the file? • The parser executes the remote HTTP call <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "http://api.geonames.org/timezoneJSON" >]> <xmlroot><xmlEntry>&xxe;</xmlEntry></xmlroot>
Flow of the attack • The attack vector: a web application that accepts XML input and parses it Browser WebServer /etc/passwd XML Parser XML with XXE XXE XML with XXE /etc/passwd/etc/passwd
Why is XML Entity Dangerous? XML entities can be used by an attacker to steal your passwords file!!
How Dangerous is XXE? OWASP Top Ten 2017 • A1 Injection • A2 Broken Authentication • A3 Sensitive Data Exposure • A4 XML External Entities • A5 Broken Access Control • A6 Security Misconfiguration • A7 Cross-Site Scripting (XSS) • A8 Insecure Deserialization • A9 Using Components with Known Vulnerabilities • A10 Insufficient Logging & Monitoring
OWASP A4 – In a Nutshell • Attackers can exploit vulnerable XML processors if they can upload XML or include hostile content in an XML document. https://www.owasp.org/index.php/Top_10-2017_A4- XML_External_Entities_(XXE) • The attack can be used to • extract data • execute a remote request from the server • scan internal systems • perform a denial-of-service attack • as well as execute other attacks
Preventing an XXE attack • Disable XML external entity and DTD processing in all XML parsers in the application • OWASP Cheat Sheet 'XXE Prevention': https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_C heat_Sheet
Preventing an XXE attack in Java • JAXB Unmarshaller https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Preve ntion_Cheat_Sheet.html#jaxb-unmarshaller • JAXP DocumentBuilderFactory https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Preve ntion_Cheat_Sheet.html#jaxp-documentbuilderfactory-saxparserfactory-and- dom4j
Parsing XML - JAXB Unmarshaller final Unmarshaller unmarshaller = JAXBContext.newInstance(SimpleXmlEntry.class).createUnmarshaller(); final SimpleXmlEntry simpleXmlEntry = (SimpleXmlEntry)unmarshaller.unmarshal(xmlSource);
Preventing XXE Attack - Unmarshaller • Implemented in Java 8 • But ... – Old JAXB version • 2.2.5 and below – Upgrade JAXB and resolve XXE
Preventing XXE Attack - Unmarshaller • Configure Unmarshaller according to https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Preventio n_Cheat_Sheet#Unmarshaller • The prevention protects a single place in a code SAXParserFactory spf = SAXParserFactory.newInstance(); spf.setFeature("http://xml.org/sax/features/external-general-entities", false); spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
Preventing XXE Attack - Unmarshaller • Use preconfigured SafeSource https://gitlab.com/ultimatesecpro/xxeprotection • The prevention protects a single place in a code Source xmlSource = SafeSource.newInstanceFromXmlContent(xml); final Unmarshaller unmarshaller = JAXBContext. newInstance(SimpleXmlEntry.class).createUnmarshaller(); final SimpleXmlEntry simpleXmlEntry = (SimpleXmlEntry)unmarshaller.unmarshal(xmlSource);
Preventing XXE Attack - Unmarshaller The better way ... • Add new System Properties in a configuration file: • The prevention protects all places in a process -Djavax.xml.bind.context.factory=com.sun.xml.internal.bind.v2.ContextFactory" -Djavax.xml.parsers.SAXParserFactory= com.sun.org.apache.xerces.internal.jaxp.SAXParserFactoryImpl"
Preventing XXE Attack - Unmarshaller The better way ... • Add the file with the content • The prevention protects all places in a jar com.sun.xml.internal.bind.v2.ContextFactory .META-INFservicesjavax.xml.bind.JAXBContext
Parsing XML - JAXP DocumentBuilderFactory DocumentBuilder builder = DocumentBuilderFactory .newInstance().newDocumentBuilder(); Document doc = builder.parse(new ByteArrayInputStream(xml.getBytes()));
• Configure DocumentBuilderFactory according to https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_She et#JAXP_DocumentBuilderFactory.2C_SAXParserFactory_and_DOM4J • The prevention protects a single place in a code DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); FEATURE = "http://apache.org/xml/features/disallow-doctype-decl"; dbf.setFeature(FEATURE, true); FEATURE = "http://xml.org/sax/features/external-general-entities"; dbf.setFeature(FEATURE, false); ... Preventing XXE Attack - DocumentBuilderFactory
• Use SafeDocumentBuilderFactory https://gitlab.com/ultimatesecpro/xxeprotection • The prevention protects a single place in a code DocumentBuilder builder = SafeDocumentBuilderFactory.newInstance() .newDocumentBuilder(); Document doc = builder.parse(new ByteArrayInputStream(xml.getBytes())); Preventing XXE Attack - DocumentBuilderFactory
The better way ... • Use SafeDocumentBuilderFactoryImpl https://gitlab.com/ultimatesecpro/xxeprotection • Add new System Properties in a configuration file: • The prevention protects all places in a process -Djavax.xml.parsers.DocumentBuilderFactory= org.ultimatesecpro.xxeprotection.SafeDocumentBuilderFactoryImpl Preventing XXE Attack - DocumentBuilderFactory
“I need to use XML Entity” • Add input validation for each XML entity – Validate before an XML parsing • Example: – A message should include only alphanumeric characters – If not reject a request <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY message SYSTEM "Wakanda Forever!" >]> <xmlroot><xmlEntry>&message;</xmlEntry></xmlroot>
Sources • Protection https://gitlab.com/ultimatesecpro/xxeprotection • Demo https://gitlab.com/ultimatesecpro/xxedemo
Summary • XML External Entities (XXE) • How XXE can be used to implement an attack • Solving it each time you parse XML in your code • The better solution Solve it once and for all - using system properties
Thank you! • Contact us – Anat www.linkedin.com/in/anat-mazar – Michael www.linkedin.com/in/furmanmichael/ ultimatesecpro@gmail.com https://ultimatesecurity.pro/ @ultimatesecpro
What is OWASP? • OWASP - Open Web Application Security Project • Worldwide not-for-profit organization • Founded in 2001 • Its mission is to make the software security visible.
OWASP Top Ten • Most successful OWASP Project • Lists of ten most critical web application security attacks • Released first in 2004 • Released each 3 years • 2007, 2010, 2013, 2017 (current)
1 of 33

Preventing OWASP A4 XML External Entities (XXE) in a better way

Technology

XML External Entities (XXE) is a dangerous vulnerability, currently ranked fourth (A4) in the OWASP Top Ten. Resolving this vulnerability should be a high priority for all Java developers. In this presentation, presented by Anat Mazar (https://www.linkedin.com/in/anat-mazar/) and Michael Furman (https://www.linkedin.com/in/furmanmichael/) we will • Demonstrate why XXE is so dangerous • Show you how this vulnerability is typically resolved – in each and every place in the code that you parse an XML file • Show you the better resolution – set a couple of system Java system properties once, and never worry about XXE again.

M
Michael Furman

Recommended

OWASP Top 10 2021 What's New by
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
3.6K views50 slides
How can you deliver a secure product by
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure productMichael Furman
544 views42 slides
Istio Security Overview by
Istio Security OverviewIstio Security Overview
Istio Security OverviewMichael Furman
929 views34 slides
Top 3 tips for security documentation by
Top 3 tips for security documentationTop 3 tips for security documentation
Top 3 tips for security documentationMichael Furman
618 views15 slides
OWASP Top Ten 2017 by
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017Michael Furman
1.9K views40 slides
OWASP A4 XML External Entities (XXE) by
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)Michael Furman
1.7K views24 slides

More Related Content

Recently uploaded

CryptoBotsAI by
CryptoBotsAICryptoBotsAI
CryptoBotsAIchandureddyvadala199
42 views5 slides
The Power of Heat Decarbonisation Plans in the Built Environment by
The Power of Heat Decarbonisation Plans in the Built EnvironmentThe Power of Heat Decarbonisation Plans in the Built Environment
The Power of Heat Decarbonisation Plans in the Built EnvironmentIES VE
84 views20 slides
The Role of Patterns in the Era of Large Language Models by
The Role of Patterns in the Era of Large Language ModelsThe Role of Patterns in the Era of Large Language Models
The Role of Patterns in the Era of Large Language ModelsYunyao Li
91 views65 slides
"Surviving highload with Node.js", Andrii Shumada by
"Surviving highload with Node.js", Andrii Shumada "Surviving highload with Node.js", Andrii Shumada
"Surviving highload with Node.js", Andrii Shumada Fwdays
58 views29 slides
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha... by
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...ShapeBlue
183 views18 slides
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And... by
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...ShapeBlue
108 views12 slides

Recently uploaded(20)

CryptoBotsAI by chandureddyvadala199
CryptoBotsAICryptoBotsAI
CryptoBotsAI
chandureddyvadala19942 views
The Power of Heat Decarbonisation Plans in the Built Environment by IES VE
The Power of Heat Decarbonisation Plans in the Built EnvironmentThe Power of Heat Decarbonisation Plans in the Built Environment
The Power of Heat Decarbonisation Plans in the Built Environment
IES VE84 views
The Role of Patterns in the Era of Large Language Models by Yunyao Li
The Role of Patterns in the Era of Large Language ModelsThe Role of Patterns in the Era of Large Language Models
The Role of Patterns in the Era of Large Language Models
Yunyao Li91 views
"Surviving highload with Node.js", Andrii Shumada by Fwdays
"Surviving highload with Node.js", Andrii Shumada "Surviving highload with Node.js", Andrii Shumada
"Surviving highload with Node.js", Andrii Shumada
Fwdays58 views
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha... by ShapeBlue
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
ShapeBlue183 views
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And... by ShapeBlue
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...
ShapeBlue108 views
Generative AI: Shifting the AI Landscape by Deakin University
Generative AI: Shifting the AI LandscapeGenerative AI: Shifting the AI Landscape
Generative AI: Shifting the AI Landscape
Deakin University67 views
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit... by ShapeBlue
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...
ShapeBlue162 views
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue by ShapeBlue
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlueCloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue
ShapeBlue137 views
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda... by ShapeBlue
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...
ShapeBlue164 views
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT by ShapeBlue
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBITUpdates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
ShapeBlue208 views
Business Analyst Series 2023 - Week 4 Session 8 by DianaGray10
Business Analyst Series 2023 - Week 4 Session 8Business Analyst Series 2023 - Week 4 Session 8
Business Analyst Series 2023 - Week 4 Session 8
DianaGray10145 views
Cencora Executive Symposium by marketingcommunicati21
Cencora Executive SymposiumCencora Executive Symposium
Cencora Executive Symposium
marketingcommunicati21160 views
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading... by The Digital Insurer
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...
The Digital Insurer91 views
State of the Union - Rohit Yadav - Apache CloudStack by ShapeBlue
State of the Union - Rohit Yadav - Apache CloudStackState of the Union - Rohit Yadav - Apache CloudStack
State of the Union - Rohit Yadav - Apache CloudStack
ShapeBlue303 views
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online by ShapeBlue
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineKVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online
ShapeBlue225 views
Optimizing Communication to Optimize Human Behavior - LCBM by Yaman Kumar
Optimizing Communication to Optimize Human Behavior - LCBMOptimizing Communication to Optimize Human Behavior - LCBM
Optimizing Communication to Optimize Human Behavior - LCBM
Yaman Kumar38 views
Evaluation of Quality of Experience of ABR Schemes in Gaming Stream by Alpen-Adria-Universität
Evaluation of Quality of Experience of ABR Schemes in Gaming StreamEvaluation of Quality of Experience of ABR Schemes in Gaming Stream
Evaluation of Quality of Experience of ABR Schemes in Gaming Stream
Alpen-Adria-Universität38 views
MVP and prioritization.pdf by rahuldharwal141
MVP and prioritization.pdfMVP and prioritization.pdf
MVP and prioritization.pdf
rahuldharwal14139 views
NTGapps NTG LowCode Platform by Mustafa Kuğu
NTGapps NTG LowCode Platform NTGapps NTG LowCode Platform
NTGapps NTG LowCode Platform
Mustafa Kuğu437 views

Featured

ChatGPT and the Future of Work - Clark Boyd by
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
28.7K views69 slides
Getting into the tech field. what next by
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
6.7K views22 slides
Google's Just Not That Into You: Understanding Core Updates & Search Intent by
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
7K views99 slides
How to have difficult conversations by
How to have difficult conversations How to have difficult conversations
How to have difficult conversations Rajiv Jayarajah, MAppComm, ACC
5.7K views19 slides
Introduction to Data Science by
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data ScienceChristy Abraham Joy
82.6K views51 slides
Time Management & Productivity - Best Practices by
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
169.8K views42 slides

Featured(20)

ChatGPT and the Future of Work - Clark Boyd by Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
Clark Boyd28.7K views
Getting into the tech field. what next by Tessa Mero
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
Tessa Mero6.7K views
Google's Just Not That Into You: Understanding Core Updates & Search Intent by Lily Ray
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Lily Ray7K views
How to have difficult conversations by Rajiv Jayarajah, MAppComm, ACC
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
Rajiv Jayarajah, MAppComm, ACC5.7K views
Introduction to Data Science by Christy Abraham Joy
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
Christy Abraham Joy82.6K views
Time Management & Productivity - Best Practices by Vit Horky
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
Vit Horky169.8K views
The six step guide to practical project management by MindGenius
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
MindGenius36.7K views
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright... by RachelPearson36
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
RachelPearson3612.8K views
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present... by Applitools
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Applitools55.5K views
12 Ways to Increase Your Influence at Work by GetSmarter
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
GetSmarter401.7K views
ChatGPT webinar slides by Alireza Esmikhani
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
Alireza Esmikhani30.5K views
More than Just Lines on a Map: Best Practices for U.S Bike Routes by Project for Public Spaces & National Center for Biking and Walking
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike Routes
Project for Public Spaces & National Center for Biking and Walking6.9K views
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G... by DevGAMM Conference
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
DevGAMM Conference3.6K views
Barbie - Brand Strategy Presentation by Erica Santiago
Barbie - Brand Strategy PresentationBarbie - Brand Strategy Presentation
Barbie - Brand Strategy Presentation
Erica Santiago25.1K views
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well by Saba Software
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellGood Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Saba Software25.3K views
Introduction to C Programming Language by Simplilearn
Introduction to C Programming LanguageIntroduction to C Programming Language
Introduction to C Programming Language
Simplilearn8.5K views
The Pixar Way: 37 Quotes on Developing and Maintaining a Creative Company (fr... by Palo Alto Software
The Pixar Way: 37 Quotes on Developing and Maintaining a Creative Company (fr...The Pixar Way: 37 Quotes on Developing and Maintaining a Creative Company (fr...
The Pixar Way: 37 Quotes on Developing and Maintaining a Creative Company (fr...
Palo Alto Software88.4K views
9 Tips for a Work-free Vacation by Weekdone.com
9 Tips for a Work-free Vacation9 Tips for a Work-free Vacation
9 Tips for a Work-free Vacation
Weekdone.com7.2K views
I Rock Therefore I Am. 20 Legendary Quotes from Prince by Empowered Presentations
I Rock Therefore I Am. 20 Legendary Quotes from PrinceI Rock Therefore I Am. 20 Legendary Quotes from Prince
I Rock Therefore I Am. 20 Legendary Quotes from Prince
Empowered Presentations142.9K views
How to Map Your Future by SlideShop.com
How to Map Your FutureHow to Map Your Future
How to Map Your Future
SlideShop.com275.1K views

Preventing OWASP A4 XML External Entities (XXE) in a better way

  • 1. OWASP A4 XML External Entities Anat Mazar Security Champion Michael Furman Security Architect
  • 2. What will we see today? • Background - XML and XML Entities • What is an XML External Entities (XXE) attack? • Preventing an XXE attack in Java • An even better way ...
  • 3. About Anat • 5+ years in software engineering • ~1 year as Security Champion at Tufin • www.linkedin.com/in/anat-mazar • I like to play board games, watch movies and travel
  • 4. About Michael • 12+ years in application security • 6+ years Lead Security Architect at Tufin • www.linkedin.com/in/furmanmichael/ • ultimatesecpro@gmail.com • Read my blog https://ultimatesecurity.pro/ • Follow me on twitter @ultimatesecpro • I like to travel, read books and listen to music
  • 5. About • Market Leader in Security Policy Automation • Tufin is used by >2000 enterprises – To segment networks and connect applications – On-prem networks, firewalls, cloud and K8S • We are the Security Policy Company!
  • 6. What is XML? • eXtensible Markup Language https://www.w3schools.com/xml/xml_whatis.asp • Designed to store and transport data • XML tags are not predefined
  • 7. What is an XML Entity? • Defines shortcuts to characters or words • Can be declared as internal, external, or predefined • Internal entity declaration: Usage: <!ENTITY entity-name "entity-value"> <element>&entity-name;</ element >
  • 8. What is an XML Entity? • External entity declaration: Usage: • Predefined entities: <!ENTITY entity-name SYSTEM "system-identifier"> <element>&entity-name;</ element > &lt; &gt; &amp; &quot; &apos;
  • 9. Risks Posed by XML Entities • Attacker can include potentially hostile content in an XML Entity • Read a local file • Send data out
  • 10. Attacking with XML Entities • What happens during the parsing of the file? • The parser reads the local file <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:////etc/passwd" >]> <xmlroot><xmlEntry>&xxe;</xmlEntry></xmlroot>
  • 11. Attacking with XML Entities • What happens during the parsing of the file? • The parser executes the remote HTTP call <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "http://api.geonames.org/timezoneJSON" >]> <xmlroot><xmlEntry>&xxe;</xmlEntry></xmlroot>
  • 12. Flow of the attack • The attack vector: a web application that accepts XML input and parses it Browser WebServer /etc/passwd XML Parser XML with XXE XXE XML with XXE /etc/passwd/etc/passwd
  • 13. Why is XML Entity Dangerous? XML entities can be used by an attacker to steal your passwords file!!
  • 14. How Dangerous is XXE? OWASP Top Ten 2017 • A1 Injection • A2 Broken Authentication • A3 Sensitive Data Exposure • A4 XML External Entities • A5 Broken Access Control • A6 Security Misconfiguration • A7 Cross-Site Scripting (XSS) • A8 Insecure Deserialization • A9 Using Components with Known Vulnerabilities • A10 Insufficient Logging & Monitoring
  • 15. OWASP A4 – In a Nutshell • Attackers can exploit vulnerable XML processors if they can upload XML or include hostile content in an XML document. https://www.owasp.org/index.php/Top_10-2017_A4- XML_External_Entities_(XXE) • The attack can be used to • extract data • execute a remote request from the server • scan internal systems • perform a denial-of-service attack • as well as execute other attacks
  • 16. Preventing an XXE attack • Disable XML external entity and DTD processing in all XML parsers in the application • OWASP Cheat Sheet 'XXE Prevention': https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_C heat_Sheet
  • 17. Preventing an XXE attack in Java • JAXB Unmarshaller https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Preve ntion_Cheat_Sheet.html#jaxb-unmarshaller • JAXP DocumentBuilderFactory https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Preve ntion_Cheat_Sheet.html#jaxp-documentbuilderfactory-saxparserfactory-and- dom4j
  • 18. Parsing XML - JAXB Unmarshaller final Unmarshaller unmarshaller = JAXBContext.newInstance(SimpleXmlEntry.class).createUnmarshaller(); final SimpleXmlEntry simpleXmlEntry = (SimpleXmlEntry)unmarshaller.unmarshal(xmlSource);
  • 19. Preventing XXE Attack - Unmarshaller • Implemented in Java 8 • But ... – Old JAXB version • 2.2.5 and below – Upgrade JAXB and resolve XXE
  • 20. Preventing XXE Attack - Unmarshaller • Configure Unmarshaller according to https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Preventio n_Cheat_Sheet#Unmarshaller • The prevention protects a single place in a code SAXParserFactory spf = SAXParserFactory.newInstance(); spf.setFeature("http://xml.org/sax/features/external-general-entities", false); spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
  • 21. Preventing XXE Attack - Unmarshaller • Use preconfigured SafeSource https://gitlab.com/ultimatesecpro/xxeprotection • The prevention protects a single place in a code Source xmlSource = SafeSource.newInstanceFromXmlContent(xml); final Unmarshaller unmarshaller = JAXBContext. newInstance(SimpleXmlEntry.class).createUnmarshaller(); final SimpleXmlEntry simpleXmlEntry = (SimpleXmlEntry)unmarshaller.unmarshal(xmlSource);
  • 22. Preventing XXE Attack - Unmarshaller The better way ... • Add new System Properties in a configuration file: • The prevention protects all places in a process -Djavax.xml.bind.context.factory=com.sun.xml.internal.bind.v2.ContextFactory" -Djavax.xml.parsers.SAXParserFactory= com.sun.org.apache.xerces.internal.jaxp.SAXParserFactoryImpl"
  • 23. Preventing XXE Attack - Unmarshaller The better way ... • Add the file with the content • The prevention protects all places in a jar com.sun.xml.internal.bind.v2.ContextFactory .META-INFservicesjavax.xml.bind.JAXBContext
  • 24. Parsing XML - JAXP DocumentBuilderFactory DocumentBuilder builder = DocumentBuilderFactory .newInstance().newDocumentBuilder(); Document doc = builder.parse(new ByteArrayInputStream(xml.getBytes()));
  • 25. • Configure DocumentBuilderFactory according to https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_She et#JAXP_DocumentBuilderFactory.2C_SAXParserFactory_and_DOM4J • The prevention protects a single place in a code DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); FEATURE = "http://apache.org/xml/features/disallow-doctype-decl"; dbf.setFeature(FEATURE, true); FEATURE = "http://xml.org/sax/features/external-general-entities"; dbf.setFeature(FEATURE, false); ... Preventing XXE Attack - DocumentBuilderFactory
  • 26. • Use SafeDocumentBuilderFactory https://gitlab.com/ultimatesecpro/xxeprotection • The prevention protects a single place in a code DocumentBuilder builder = SafeDocumentBuilderFactory.newInstance() .newDocumentBuilder(); Document doc = builder.parse(new ByteArrayInputStream(xml.getBytes())); Preventing XXE Attack - DocumentBuilderFactory
  • 27. The better way ... • Use SafeDocumentBuilderFactoryImpl https://gitlab.com/ultimatesecpro/xxeprotection • Add new System Properties in a configuration file: • The prevention protects all places in a process -Djavax.xml.parsers.DocumentBuilderFactory= org.ultimatesecpro.xxeprotection.SafeDocumentBuilderFactoryImpl Preventing XXE Attack - DocumentBuilderFactory
  • 28. “I need to use XML Entity” • Add input validation for each XML entity – Validate before an XML parsing • Example: – A message should include only alphanumeric characters – If not reject a request <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY message SYSTEM "Wakanda Forever!" >]> <xmlroot><xmlEntry>&message;</xmlEntry></xmlroot>
  • 30. Summary • XML External Entities (XXE) • How XXE can be used to implement an attack • Solving it each time you parse XML in your code • The better solution Solve it once and for all - using system properties
  • 31. Thank you! • Contact us – Anat www.linkedin.com/in/anat-mazar – Michael www.linkedin.com/in/furmanmichael/ ultimatesecpro@gmail.com https://ultimatesecurity.pro/ @ultimatesecpro
  • 32. What is OWASP? • OWASP - Open Web Application Security Project • Worldwide not-for-profit organization • Founded in 2001 • Its mission is to make the software security visible.
  • 33. OWASP Top Ten • Most successful OWASP Project • Lists of ten most critical web application security attacks • Released first in 2004 • Released each 3 years • 2007, 2010, 2013, 2017 (current)

Editor's Notes

  1. Anat
  2. Michael
  3. Anat A Tufin Security Champion is someone who ensures security is ...
  4. Michael Before we begin, a couple of words about me and the company I work for - Tufin. I have many years of experience in software development. Like most of you here today, I particularly like application security. I started to work in this area more than 10 years ago, and enjoy each day I work on it. For the last few years, I am responsible for the application security of all Tufin products. Recently I have started to write a blog – you are more then welcomed to read it. Something personal: I like traveling, reading books and listening to music. I particularly enjoy listen to jazz.
  5. Michael managing some of the largest networks in the world
  6. Anat
  7. Anat
  8. Anat
  9. Talk says ... next few slides will who you HOW XXE is used to steal data
  10. Anat
  11. Who is the attack target
  12. Not to use XML Implement positive ("whitelisting") server-side input validation, filtering, or sanitization to prevent hostile data within XML documents, headers, or nodes.
  13. Not to use XML Implement positive ("whitelisting") server-side input validation, filtering, or sanitization to prevent hostile data within XML documents, headers, or nodes.
  14. https://docs.oracle.com/javase/8/docs/api/javax/xml/XMLConstants.html#ACCESS_EXTERNAL_DTD Default value: The default value is implementation specific and therefore not specified. The following options are provided for consideration:
  15. https://docs.oracle.com/javase/8/docs/api/javax/xml/XMLConstants.html#ACCESS_EXTERNAL_DTD Default value: The default value is implementation specific and therefore not specified. The following options are provided for consideration: com.sun.xml.internal.bind.v2.runtime.JAXBContextImpl.disableSecurityProcessing
  16. https://docs.oracle.com/javase/8/docs/api/javax/xml/XMLConstants.html#ACCESS_EXTERNAL_DTD Default value: The default value is implementation specific and therefore not specified. The following options are provided for consideration:
  17. https://docs.oracle.com/javase/8/docs/api/javax/xml/XMLConstants.html#ACCESS_EXTERNAL_DTD Default value: The default value is implementation specific and therefore not specified. The following options are provided for consideration:
  18. https://docs.oracle.com/javase/8/docs/api/javax/xml/XMLConstants.html#ACCESS_EXTERNAL_DTD Default value: The default value is implementation specific and therefore not specified. The following options are provided for consideration:
  19. https://docs.oracle.com/javase/8/docs/api/javax/xml/XMLConstants.html#ACCESS_EXTERNAL_DTD Default value: The default value is implementation specific and therefore not specified. The following options are provided for consideration:
  20. https://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl Default:  false 
  21. https://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl Default:  false 
  22. https://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl Default:  false 
  23. The better way. Not listed in OWASP Cheat Sheet If you use some 3-rd party that parse an XML file it fixes the XXE vulnerability also. Not possible in the way described in OWASP Cheat Sheet
  24. Thank you for participating in my lecture! Please contact me if you need any additional information, or if you want to send me your resume.