2017 OWASP A4 Update: XML External Entities (XXE)
Extensible Markup Language External Entities (XXE) is currently ranked fourth on OWASP’s 2017 Top Ten list of application security risks. Extensible Markup Language (XML) is a widely used data format. It can be found in:
- HTML
- Windows document files (.docx)
- SVG (scalable vector graphics)
- EXIF image files
Or in various types of web services including:
- SOAP
- XML-RPC
- Rest, etc.
Anything that uses XML requires an XML parser. An XML parser will use either an XML schema definition (XSD) or data type definition (DTD) to validate the correctness of data before processing it. XXE vulnerabilities are often found when DTDs are in use. DTDs are considered legacy items, and as with most legacy items, associated vulnerabilities have increased. DTDs are actually derived from Standard Generalized Markup Language (SGML), which is the predecessor to XML. One example of a DTD is “foo”. In the foo example, any time &bar; is used, it is actually an alias for the word “World”. To illustrate:
The request:
POST http://example.com/xml HTTP/1.1<!DOCTYPE foo [ <!ELEMENT foo ANY> <!ENTITY bar "World"> ]>
<foo>
Hello &bar;
</foo>
The response:
HTTP/1.0 200 OK Hello World
XML entities do not always have to be defined within an XML document. They can also come from external sources. So, subsequently, most XML parsers are configured to process external entities. Bad actors can embed entities within entities within entities, which would potentially create a denial of service attack. This is the basis of an XXE attack.
How Can I Detect XML External Entities?
Analyzing your applications for vulnerabilities should be the initial step in identifying if your application is susceptible to XXE. A manual analysis consists of seeing if your application uses some of the technology known to carry the susceptibility (e.g., SAML, DTD, HTML, etc.). An automated analysis should be performed as well. This can be done by performing source code analysis.
Source code analysis tools, also referred to as static application security testing tools (SAST), help identify XXE vulnerabilities within source code. There are also web scanners that can crawl through a website to pinpoint vulnerabilities. Scanning code is a limited approach, because scanning tools do not always detect this vulnerability. Performing a manual pentest is a great way to detect risks potentially missed by automated tools.
How Can I Prevent XML External Entities?
If your web service is XML based, or directly accepts XML uploads, you are potentially vulnerable to XXE — particularly if those XML uploads originate from an untrusted source. Taking steps to verify XML uploads could potentially stop an XXE attack.
Security assertion markup language (SAML) uses XML when completing identity assertions. So, web applications that use single sign on (SSO) authentication methods, and implement SAML for identity processing, are also at increased risk.
Soap versions prior to 1.2 are also susceptible to XXE attacks. Ensure you are using a current version of Soap.
As with any vulnerability or potential threat, the first step in prevention is education. Training developers will help them understand ways to avoid XXE. Along with training, using SAST tools can help detect XXE vulnerabilities in source code. Manual code review is also useful in discovering the vulnerability. Manual code review can be particularly useful when developing and implementing large and complex applications.
Other ways to prevent XXE include:
- Disabling DTD processing
- Ensure any uploading capabilities validate data
- Implement whitelisting of server-side input validation
- Filter and sanitize data input
- Avoid serialization of sensitive data
- Use JSON or other less complex data formats
- API security gateways
- Web application firewalls (WAFs)
What Does an XML External Entities Attack Look Like?
OWASP has provided three examples of a successful XXE attack.
Scenario 1
This scenario illustrates an attacker attempting to extract data from a server:
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>
Scenario 2
This scenario illustrates an attacker probing a server's private network by changing the ENTITY line shown in Scenario 1 to the following:
<!ENTITY xxe SYSTEM "https://192.168.1.1/private" >]>
Scenario 3
This scenario illustrates an attacker attempting a denial-of-service attack by including a potentially endless file:
<!ENTITY xxe SYSTEM "file:///dev/random" >]>
Conclusion
XXE vulnerabilities are currently fourth on the latest OWASP list of application security vulnerabilities, suggesting it is still a high-risk threat. Outdated XML parsers aid in creating XXE vulnerabilities. Most older parsers allow DTDs by default, allowing bad actors to upload malicious XML into unsecured applications. It is important to keep developers educated in current security trends, and it is also important to scan source code, either using automated or manual methods. XXE is difficult to avoid, but taking these steps are ways to help minimize the threat.