Notice: Monitoring services will be discontinued from March 31st, 2019.
XXE (XML External Entity attack) is now increasingly being found and reported in most of the major web applications.However XXE has been around for many years, it never really got as much attention as it deserved. Most XML parsers are vulnerable to it by default, which means it is the responsibility of a developer to make sure that the application is free from this vulnerability.
1) XML external entities
Two systems which are running on different technologies can communicate and exchange data with one another using XML.
The XML documents can contain something called ‘entities’ defined using a system identifier and are present within a DOCTYPE header. These entities can access local or remote content. During XML parsing, this external entity will be replaced with the respective value.The use of keyword ‘World’ instructs the parser that the entity value should be read from the URI that follows. Thus, when the entity value is used many times, this would seem very helpful. For an example refer the below request and responce body,
Request
POST http://example.com/xml HTTP/1.1
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY bar "World">
]>
<foo>
Hello &bar;
</foo>
Response
HTTP/1.0 200 OK
Hello World
2)XXE attack
With XML entities, the ‘World’ keyword causes an XML parser to read data from a URI and permits it to be substituted in the document. Thus, an attacker can send his own values through the entity and make the application display it. In simple words, an attacker forces the XML parser to access the resource specified by him which could be a file on the system or on any remote system.
Request
POST http://example.com/xml HTTP/1.1
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY bar SYSTEM
"file:///etc/lsb-release">
]>
<foo>
&bar;
</foo>
Response
HTTP/1.0 200 OK
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04 LTS
3) Detect the XXE vulnerabilities
To identify those endpoints which accept XML as input. But sometimes you will encounter those cases where the endpoints that accept XML might not be so obvious (for example, those cases where the client uses only JSON to access the service). With these cases, a pen tester has to try out different things such as modifying the HTTP methods, Content-Type etc. to see how the application responds. If the application parses the content, then there is a scope for XXE.
4) After effect
The impact of exploiting this vulnerability can be very dangerous, as it allows an attacker to read sensitive files present on the server, perform denial of service attack on the server, etc.
5)Prevention
The main problem as discussed above is that the XML parser parses the untrusted data sent by the user. However, it may not be easy or possible to validate only data present within the system identifier in the Document Type Definition(DTD). Most XML parsers are vulnerable to XML external entity attacks (XXE) by default. Therefore, the best solution would be to configure the XML processor to use a local static DTD and disallow any declared DTD included in the XML document.