OWASP Top 10: XML External Entities (XXE) (A4:2017)
Photo by Taylor Vick
This is part of my OWASP Top 10 series covering the top 10 most critical web application security risks. If you've missed any of the previous security risks, check out the intro and overview.
Risk Rating
Threat Agents
|
Exploitability
|
Weakness Prevalence
|
Weakness Detectability
|
Technical Impacts
|
Business Impacts
|
---|---|---|---|---|---|
Application Specific
|
Easy: 3
|
Widespread: 3
|
Easy: 3
|
Severe: 3
|
Business Specific
|
Average: 2
|
Common: 2
|
Average: 2
|
Moderate: 2
|
||
Difficult: 1
|
Uncommon: 1
|
Difficult: 1
|
Minor: 1
|
What are XML External Entities?
An XML external entity injection (XXE) involves an attacker interfering with how an application processes an XML file. The attacker might submit XML code that references an external entity, such as a hard drive. If the application is vulnerable to an XXE attack then its XML parser might be tricked into leaking sensitive data to the attacker.
In XML terminology, an entity is defined as a storage unit of some type. There are different types of entities, but essentially external general/parameter parsed entity (often shortened to external entity) can access local or remote content via a declared system identifier (typically a URI).
The real danger of XXE injections is if an attackers escalates the attack to compromise the underlying server or other aspects of the back-end infrastructure. This could happen, for example, if the attacker uses the XXE vulnerability to perform a server-side request forgery (SSRF) attack.
Examples of XML External Entities
Let's say Mallory visits a website that allows XML files to be uploaded and processed. She uploads the following file:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>
If the XML parser is susceptible to an XXE injection attack, then it may return the contents of /etc/passwd (a file found on Unix-like systems containing a list of system accounts) to Mallory.
Let's see another example. This time Mallory uploads the following XML file:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "https://192.168.1.1/private" >]>
<foo>&xxe;</foo>
If vulnerable, this injection will probe the web server's private network which may reveal sensitive information to Mallory.
In our final example, Mallory uploads the following XML file:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///dev/random" >]>
<foo>&xxe;</foo>
On Unix-like systems /dev/random contains an endless supply of random data (designed for pseudorandom number generators). As a result, this XML file may cause a denial-of-service attack.
What's the impact of XML External Entities?
As we saw in our examples, XXE injection attacks can be used to extract sensitive data, execute a remote request from the server, scan internal systems, perform a server-side request forgery (SSRF) attack, carry out a denial-of-service attack, and may other types of attacks.
The impact of these attacks may be the loss of sensitive data, an attacker may carry out identity fraud, sell the data on underground markets, etc.
How to defend against XML External Entities
Try to avoid using XML parsers to process data. Instead use format such as JSON which are more simple and less prone to such vulnerabilities. Also, avoid serialising sensitive data in the first place to reduce risks.
Make sure any XML processors and libraries are patched and updated to mitigate XXE injection attacks. Use dependency checkers and update SOAP to SOAP 1.2. Also, disable the processing of XML external entity and Document Type Definition (DTD).
Essentially, XXE vulnerabilities arise because an application's XML parser allows potentially dangerous features that are neither used nor needed. The easiest way to prevent such XXE attacks is to disable those features.
More on OWASP Top 10
- OWASP Top 10: Intro
- OWASP Top 10: Injection (A1:2017)
- OWASP Top 10: Broken Authentication (A2:2017)
- OWASP Top 10: Sensitive Data Exposure (A3:2017)
- OWASP Top 10: XML External Entities (XXE) (A4:2017)
- OWASP Top 10: Broken Access Control (A5:2017)
- OWASP Top 10: Security Misconfiguration (A6:2017)
- OWASP Top 10: Cross-Site Scripting (XSS) (A7:2017)
- OWASP Top 10: Insecure Deserialisation (A8:2017)
- OWASP Top 10: Using Components with Known Vulnerabilities (A9:2017)
- OWASP Top 10: Insufficient Logging and Monitoring (A10: 2017)
Recent
Top 10 Web App Security Risks
-
OWASP Top 10: Intro
-
OWASP Top 10: Injection (A1:2017)
-
OWASP Top 10: Broken Authentication (A2:2017)
-
OWASP Top 10: Sensitive Data Exposure (A3:2017)
-
OWASP Top 10: XML External Entities (XXE) (A4:2017)
-
OWASP Top 10: Broken Access Control (A5:2017)
-
OWASP Top 10: Security Misconfiguration (A6:2017)
-
OWASP Top 10: Cross-Site Scripting (XSS) (A7:2017)
-
OWASP Top 10: Insecure Deserialisation (A8:2017)
-
OWASP Top 10: Using Components with Known Vulnerabilities (A9:2017)
-
OWASP Top 10: Insufficient Logging and Monitoring (A10: 2017)