OWASP A4

XML External
Entities injection
Presenter

Shantanu Shukla
Technical Manager
Everyone’s fav radio station - WII-FM?

 Twitter & Zomato both have rewarded the hackers who had found vulnerabilities
in their system.
 Zomato rewarded $10100 and Twitter offered
 J.K. Rowling (Author of Harry Potter) announced reward to the hacker who
hacked UK Civil Services account.
 Twitter appointed “Mudge” (hacker) as head of security.

Twitter names famed hacker 'Mudge' as head of security (msn.com)

J.K. Rowling Offers Reward to Hacker Calling PM ‘Arrogant’ | Heavy.com

Definition

 XML external entity injection (also known as XXE) is a web security

vulnerability that allows an attacker to interfere with an application's processing
of XML data. It often allows an attacker to view files on the application server
filesystem, and to interact with any backend or external systems that the
application itself can access.
XML - eXtensible Markup Language
DTD – Document Type Definition

It is a document that defines the structure of an

XML document. It is used to describe the attributes
of the XML language precisely. It can be classified
into two types namely internal DTD and external DTD

Entities : Entity is used to specify special characters. The entity declaration is

 XXE – External XML Entity

XXE or XML External Entity attack is a web application vulnerability that affects a
website which parses unsafe XML that is driven by the user. XXE attack when
performed successfully can disclose local files in the file system of the website. 

User XML Parsed

XML at Rest and
upload/Send without
displayed
XML validation
Types of XXE attacks

 There are four major types of XXE attacks

 Exploiting XXE to retrieve files - An external entity is defined containing the
contents of a file, and returned in the application's response.
 Exploiting XXE to perform SSRF attacks - An external entity is defined based on a
URL to a back-end system.
 Exploiting blind XXE exfiltrate data out-of-band - Sensitive data is transmitted
from the application server to a system that the attacker controls.
 Exploiting blind XXE to retrieve data via error messages - An attacker can trigger a
parsing error message containing sensitive data.
XXE Attack – Finding Vulnerability

o
XXE Attack 2 – Reading Files
XXE Attack 3 – CSRF Attack

 In a CSRF attack, an innocent end

user is tricked by an attacker into
submitting a web request that they
did not intend. This may cause
actions to be performed on the
website that can include inadvertent
client or server data leakage,
change of session state, or
manipulation of an end user's
account
XXE Attack – Denial of Service

 Do something which will cause system to unfunctional / crash

XXE Attack – Billion Laugh Attack
Is my application vulnerable?

 This attack occurs when untrusted XML input containing a reference to an

external entity is processed by a weakly configured XML parser.

 The application accepts XML directly or XML uploads, especially from untrusted
sources, or inserts untrusted data into XML documents, which is then parsed by
an XML processor.

 Any of the XML processors in the application or SOAP based web services has
document type definitions (DTDs) enabled.

 If the application uses SOAP prior to version 1.2, it is likely susceptible to XXE
attacks if XML entities are being passed to the SOAP framework.
 SAST & DAST
Source / Static Code Analysis Tools for
Reviewers Dynamic Application Security Testing

.NET Security Guard .NET, C\#, VB.net

Arachni Most platforms supported
APIsecurity.io Security online tool for OpenAPI / Swagger file
Audit static security analysis GoLismero Windows, Linux and Macintosh
ASP, ASP.NET, C\#, Java, Javascript, Grendel-Scan Windows, Linux and Macintosh
Agnitio Perl, PHP, Python, Ruby, VB.NET, XML
Checkmarx C#.Net/ VB.Net / Javscript
Ride (REST JSON
CodeSec C#.Net/ VB.Net / Javscript Payload fuzzer) Linux / Mac / Windows
Fortify  
Google Vega Windows, Linux and Macintosh
CodeSearchDiggity All code on opensource Windows, Unix/Linux and
Microsoft FxCop .NET, C\#, VB.net Wapiti Macintosh
OWASP Code Crawler .Net / Java Wikto Windows
Security Code Scan .Net Windows, Unix/Linux, and
Zed Attack Proxy Macintosh
How can you protect?
.Net Framework

XML Parser Safe by default?

LINQ to XML Yes The LHS table lists all supported .NET XML
XmlDictionaryReader Yes
parsers and their default safety levels:
XmlDocument
...prior to 4.5.2 No
...in versions 4.5.2+ Yes
XmlNodeReader Yes
XmlReader Yes
XmlTextReader
...prior to 4.5.2 No
...in versions 4.5.2+ Yes
XPathNavigator
...prior to 4.5.2 No
...in versions 4.5.2+ Yes
XslCompiledTransform Yes
Developers

 .Net Devs, Upgrade your project's framework > 4.5.2+. If not possible,avoid
using class XmlDocument, XmlTextReader, XPathNavigator

 Uniface and .Net Devs, whenever possible, use less complex data formats such as
JSON, and avoiding serialization of sensitive data.

 Patch or upgrade all XML processors and libraries in use by the application or on
the underlying operating system. Use dependency checkers. Update SOAP to
SOAP 1.2 or higher.
Developers

 Disable XML external entity and DTD processing in all XML parsers in the
application.

 Verify that XML or XSL file upload functionality validates incoming XML using
XSD validation or similar.

 Code Reviewers - SAST tools can help detect XXE in source code, although
manual code review is the best alternative in large, complex applications with
many integrations.
QA

 Use XXE Payload as demonstrated

 Use DAST tools to identify any vulnerability
Infra

 Virtual patching is the quick development and short-term implementation of a

security policy meant to prevent an exploit from occurring as a result of a newly
discovered vulnerability. A virtual patch is sometimes called a Web application
firewall (WAF).
Questions

This Photo by Unknown Author is lcensed under CC BY-NC-ND

Thank you