Spirent circle logo
Cybersecurity

XXE: An overlooked threat and how it can be remediated

By:

Security is hard to get right, and even in today’s security conscious world, there are a few serious vulnerabilities such as XML External Entity (XXE) that are being overlooked and end up becoming the cause for a breach.

XXE attacks

Security is hard to get right, and even in today’s security conscious world, there are a few serious vulnerabilities such as XML External Entity (XXE) that are being overlooked and end up becoming the cause for a breach. An XML External Entity (XXE) attack is a type of computer security vulnerability that is typically found in Web applications, allowing attackers to disclose files that are normally protected from a connected network or server. XXE vulnerability has now been known for more than a decade, however automated tools started detecting rudimentary cases of this issue only in the recent past. Therefore, if this vulnerability is exploited, the damage could be very severe ranging from information disclosure to denial of service or even remote code execution if everything falls into place.

In this blog, I will explain what an XXE vulnerability is, it’s exploits and discuss some remediation guidelines.

What is XML Entity?

XML allows the use of entities. Entities acts as “value” placeholder for data that will be used within the xml document. They help to shrink the entry of recurring information and allow for easier editing. XML has several pre-defined entities which are used to reference special characters like ‘’ and ‘&’. XML also allows user to define custom entities.

Quotes

XXE can be exploited in various ways depending on how the application’s XML parser is set up.

How does XXE get exploited?

XXE can be exploited in various ways depending on how the application’s XML parser is set up and how the response is rendered on the client side. Some of the vectors of this exploit include applications’ output, backend evaluation and external interaction.

Local File Disclosure – Scenario 1

When an application evaluates the vulnerable request, and prints data on the client side, local file disclosure is possible. With a properly configured attack vector, an improperly configured parser would now look at the server’s system file and respond with the contents that was requested by the attacker.

Local File Disclosure – Scenario 2

If the requested file does not contain text data or if it is a broken xml file, then we need to take a different approach. We will need to use sub DTDs to extract these file types. Parameter entities are used here instead of general entities.

Local File Disclosure – Scenario 3

When an application evaluates the user input and is capable to lookup for an external file but will not print any output data on the screen, we will need to extract data by a method known as out of band XXE.

Denial of Service

One of the methods to create a Denial of Service is by using “External Entity Expansion” where you can reference an external xml file. If the XML parser is configured incorrectly, this will make a HTTP request to attackerIP.

The target file on the attacker’s IP could be written in a way that has recursive reference to other external entities. Before the XML parser processes this file, it must retrieve all the defined entities. This could lead to exhaustion of all available resources and effectively create denial of service.

Other Exploits

Based on the application and how its XML parser has been configured, XXE can be leveraged to pull off advanced exploits such as:

  • Internal Port Scanning

  • Server Side Request Forgery

  • Remote Code Execution

Where is XXE found commonly?

  • Upload file functionality

  • File export

  • XML based HTTP requests

How to remediate XXE

  • Be aware of your application’s XML library and how it works and disable anything that is not needed

  • Do not allow user-defined DTD, attributes and (external) entities

  • Perform input validation on user data before it is parsed by the XML parser

  • OWASP has detailed description on how to fix XXE for each platform

XXE has been observed more frequently in the recent past compared to SQL related issues and will continue to be an increasing security risk. Enterprises need to take proactive steps by conducting penetration testing to identify potential points of exploit on your organizations’ web applications.

Learn more about XXE attacks and vulnerabilities

Gain realistic insight into potential XXE attacks and vulnerability within your organizations’ networks, IoT devices, web and mobile applications. Download our white paper: XXE: An Overlooked threat and how it can be remediated today.

Like our content?

Subscribe to our blogs here.

Blog Newsletter Subscription

TagsSecurity
Prashant Nattanmai
Prashant Nattanmai

Prashant has over five years web/mobile application security specializing in manual penetration testing, code review, and risk management. At Spirent, Prashant is a Senior member of the ethical hacking and security research group called Spirent SecurityLabs. Prior to Spirent, Prashant has worked as Security Consultant at Trustwave and Cenzic where he performed manual penetration testing vulnerability scans on hundreds of web/mobile applications and web services using various tools and has worked with several fortune 100 companies to satisfy their needs. Prashant has also worked as an on-site consultant with a major financial institution to manage 1200+ internet facing production web applications and trained their team with vulnerability identification, reproduction, remediation and risk management. In addition, Prashant has a Master’s degree in Computer Science and Engineering from Santa Clara University concentrating in Information Assurance and has hands-on experience in Manual Penetration Testing, Web application Security, Cloud Security, Web development, Computer Software, Systems and Network Security.