A4 xml external entites

Validation 5.2.6 Verify that the application protects against SSRF (Server-Side Request Forgery) attacks, by
validating or sanitizing untrusted data or HTTP file metadata, such as filenames and URL
input fields, use whitelisting of protocols, domains, paths and ports (user input for files and
urls should be checked with whitelist access).
X X X
Validation 5.5.2 Verify that the application correctly restricts XML parsers to only use the most restrictive
configuration possible and to ensure that unsafe features such as resolving external entities
are disabled to prevent XXE.
X X X
API 13.1.1 Verify that all application components use the same encodings and parsers to avoid parsing
attacks that exploit different URI or file parsing behavior that could be used in SSRF and RFI
attacks.
X X X
API 13.3.1 Verify that XSD schema validation takes place to ensure a properly formed XML document,
followed by validation of each input field before any processing of that data takes place. X X X

XML Basics: Introduction
● 2 types of XML validity:
- well-formed
- valid
● Format of XML document is defined by:
- Document Type Definition (DTD)
- XML Schema
● XML
Technology:
Presentation
Structure
Content
DTD/XSD
XML Doc
XSL

XML Basics: DTD
2 types:
● Internal (Document Type Declaration)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE order [
<!ELEMENT count (#PCDATA)>
<!ELEMENT product (#PCDATA)>
<!ELEMENT order (product, count)>
]>
<order>
<product>1234</product>
<count>1</count>
</order>
● External - Document Type Definition order.dtd
with the data structure definition:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE order SYSTEM "order.dtd">
<order>
<product>1234</product>
<count>1</count>
</order>

XML Basics: Entities
● Internal
<!ENTITY name "value">
<?xml version="1.0"?>
<!DOCTYPE order [
<!ELEMENT name(#PCDATA)>
<!ENTITY name “XXX”>
]>
<order>
<name>&name;</name>
</order>
● External
<!ENTITY current-date SYSTEM
"http://www.getcurrenttime.com/times
tamp.xml">
<!DOCTYPE order [
<!ELEMENT date (timestamp)>
<!ELEMENT timestamp (#PCDATA)>
<!ELEMENT order (date)>
<!ENTITY current-date SYSTEM
"http://www.getcurrenttime.com/timestamp.
xml">
]>
<order>
<date>&current-date;</date>
</order>

XXE Example
Common server request Server vulnerability request

XXE Example
Decompression Bomb
The Billion Laughs Attack
<!DOCTYPE data [
<!ENTITY laugh0 “ha" >
<!ENTITY laugh1 "&laugh0;&laugh0;&laugh0;&laugh0;&laugh0;&laugh0;&laugh0;&laugh0;...........">
<!ENTITY laugh2 "&laugh1;&laugh1;&laugh1;&laugh1;&laugh1;&laugh1;&laugh1;&laugh1;...........">
...
<!ENTITY laugh10 "&laugh9;&laugh9;&laugh9;&laugh9;&laugh9;&laugh9;&laugh9;...................."> ]>
<name>&laugh10;</name>
An attacker can cause the parser to use up lots of memory (Gigabytes) and CPU (90%+
utilization) in a very short period of time known as the Billion Laughs Attack

XXE: Vectors of attack
1. Reading of local files:
<!Entity xxe System “file:///etc/passwd ”>
2. Document Type Definition for remote resource
<!Entity xxe System “http://example.com/test.dtd”>
3. File upload with xxe payload

http://10.2.3.143/bWAPP/xxe-1.php
Upload doc:
https://ac621ff81fe9435b80520b4a00a00069.web-security-academy.net/

Scanning tools
Burp Suite.Upload Scanner
Burp Suite.BurpBounty
SAST Tools
But! In the most cases:
Finding such an XXE vulnerability in a service endpoint using only manual pentesting tricks (as the scanners didn't detect
it)

You can be vulnerable if:
1. An application accepts XML directly or downloads XML from unreliable
sources
2. If the application uses SAML (Security Assertion Markup
Language) for processing, it may be vulnerable (standard based on XML)
3. If the application uses SOAP (Simple Object Access Protocol)
prior to version 1.2, it may be susceptible to XXE attacks if XML
objects are passed to the SOAP structure

Recommendations
1. Use less complex data formats such as JSON whenever possible; avoid serializing
sensitive data
2. Update SOAP 1.2 or higher
3. Use XML parser in application, according to OWASP Cheat Sheet
class CustomUrlResovler : XmlUrlResolver
{
public override Uri ResolveUri(Uri baseUri, string relativeUri)
{
Uri uri = new Uri(baseUri, relativeUri);
if (IsSafeHost(uri.Host))
return null;
return base.ResolveUri(baseUri, relativeUri);
}
private bool IsSafeHost(string host)
{
return false;
}
}
4. SAST tools can help to discover XXE in the source code

Link / Literature
https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE)
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.ht
ml
https://stackoverflow.com/questions/14230988/how-to-prevent-xxe-attack-xmldocument-in-net
https://portswigger.net
https://www.owasp.org/images/5/58/XML_Based_Attacks_-_OWASP.pdf

A4 xml external entites

More Related Content

Similar to A4 xml external entites (20)

Recently uploaded (20)

A4 xml external entites