A Guide to XML File Structure & External Entity (XXE) Attacks
Modern forms of markup languages such as HTML, XML and XHTML are mostly used in designing web pages.
XML, which stands for Extensible Markup Language, defines a set of rules for encoding documents in a format that can be read by both humans and machines.1
Learn Secure Coding
XML has some known advantages which makes it a universal and secure language. These advantages include the ability to store data independent of whether a system is software or hardware.
Another advantage of XML is its ability to present and make data available to devices such as smartphones and digital telephone booths. XML supports the consistent encoding and handling of text, allowing most data outputs in any written human language to be presented.
Web technologies have greatly advanced, presenting users with both benefits and vulnerabilities. XML, too, has its fair share. This article will introduce the basic structure of XML and then shed some light on the external entity attack.
XML File Document Structure
The Extensible Markup Language (XML) 1.0 fifth edition, which is a W3C recommendation, states each XML document has a physical and a logical structure.
- Physical structure: The physical structure of the document is made up of storage units called entities. Each entity has a name, content and may refer to other entities to cause their inclusion in the document.
- Logical structure: The logical structure of the document is made up of comments, elements, declaration and processing instruction.
XML File Declaration
Mostly, if used, the first line of an XML file is the declaration. This identifies the document as being XML and allows it to be parsed by the processor — a software module used to read the document.
XML Declaration Syntax
The syntax is: <?xml version="1.0" encoding=" ISO-10646-UCS-4 " standalone="no" ?>
Understanding XML Declaration File Parts
What Is a Document Type Declaration (DTD)?
The document type declaration immediately follows an XML declaration. It checks the validity of the structure of XML documents against some predefined rules of an XML language. It also provides the location of the DTD. The declaration is known as internal when the backbone of an XML document is declared within the XML files and external when the same backbone is declared outside the XML files.
What Does an Internal DTD Look Like?
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<!DOCTYPE geolocation [
<!ELEMENT geolocation (latitude, longitude, temperature)>
<!ELEMENT latitude (#PCDATA)>
<!ELEMENT longitude (#PCDATA)>
<!ELEMENT temperature (#PCDATA)>
]>
<geolocation>
<latitude>14.5° North</latitude>
<longitude>20.8° West</longitude>
<temperature>39°Celcius</temperature>
</geolocation>
What Does an External DTD Look Like?
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<!DOCTYPE geolocation SYSTEM "geolocation.dtd">
<geolocation>
<latitude>14.5° North</latitude>
<longitude>20.8° West</longitude>
<temperature>39°Celcius</temperature>
</geolocation>
The content of the DTD file address geolocation.dtd is shown below:
<!ELEMENT geolocation (latitude, longitude, temperature)>
<!ELEMENT latitude (#PCDATA)>
<!ELEMENT longitude (#PCDATA)>
<!ELEMENT temperature (#PCDATA)>
What Is an XML External Entity Attack?
An XML external entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.2
The attack may lead to the exposure of sensitive and confidential data, or access to free or usable TCP/UDP ports.
How Does an XML External Entity Attack Work?
- The attacker prepares an XML message together with a DTD as shown below. This message commonly includes an XXE that reads a locally stored file, for example "/etc/geofile"
- The attacker sends the prepared XML message to the web application on the IP address 192.168.0.2
- The web application processes the incoming XML message. It parses the DTD, resolves the XXE and then deals with the resulting XML
- The web application sends an HTTP response to the attacker at 192.168.0.1. For a successful XXEA, this response must somehow contain the content of the locally stored file, for example, the "/etc/geofile" file.
How Can I Prevent XXE Attacks?
Considering the number of possibilities to mount an external entity attack, its prevention may not be that easy. Continuous training and use of pentesting tools may be a good way to keep developers updated on new attacks. Deploying web application firewalls may also act as an effective way to monitor and prevent these attacks.
This is, for instance, the case for the default Java XML parser. To mitigate XXE attacks, one has to configure the parser as follows:3
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();3
// not important to prevent XXEA
dbf.setNamespaceAware(true);3
// validate document while parsing it.
dbf.setValidating(true);3
// do not expand entity reference nodes
dbf.setExpandEntityReferences(false);3
// validate document against DTD.
dbf.setFeature("http://xml.org/sax/features/validation", true);3
// do not include external general entities
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);3
// do not include external parameter entities or the external DTD subset
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);3
// build the grammar but do not use the default attributes and attribute types information it contains
dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false);3
// ignore the external DTD completely
dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-ext.3
Learn Secure Coding
Conclusion
Leaving settings as default for most XML parsers will expose web applications to XML external entity attacks. This vulnerability can be used to unveil sensitive data and cause denial of service. Performing analysis and sometimes deep inspection of packets may reveal attempts to exploit this vulnerability. A good understanding of XML and the XXE attack will help system administrators protect their applications against this vulnerability.
Sources
- Understanding Compression: Data Compression for Modern Developers By Colt McAnlis, Aleks Haecky
- https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
- https://web-in-security.blogspot.com/2014/11/detecting-and-exploiting-xxe-in-saml.html
Learn Secure Coding
Get hands-on experience with common coding mistakes, how they can be exploited and possible mitigations. Learn secure coding in:- Android and iOS
- C/C++, Java, .NET and PHP
- And more
In this Series
- A Guide to XML File Structure & External Entity (XXE) Attacks
- Enhancing code security: Tools and techniques for safeguarding your code
- DevSecOps Tools of the trade
- Software dependencies: The silent killer behind the world's biggest attacks
- Software composition analysis and how it can protect your supply chain
- Only 20% of new developers receive secure coding training, says report
- Introduction to Secure Software Development Life Cycle
- How to control the flow of a program in x86 assembly
- Mitigating MFA bypass attacks: 5 tips for developers
- How to diagnose and locate segmentation faults in x86 assembly
- How to use the ObjDump tool with x86
- Debugging your first x86 program
- How to build a program and execute an application entirely built in x86 assembly
- Overview of common x86 instructions
- x86 basics: Data representation, memory and information storage
- What is x86 assembly?
- Introduction to x86 assembly and syntax
- Introduction to variables
- How to mitigate Race Conditions vulnerabilities
- How to avoid Cryptography errors
- Cryptography errors Exploitation Case Study
- How to exploit Cryptography errors in applications
- How to exploit race conditions
- Email-based attacks with Python: Phishing, email bombing and more
- Attacking Web Applications With Python: Recommended Tools
- Attacking Web Applications With Python: Exploiting Web Forms and Requests
- Attacking Web Applications With Python: Web Scraper Python
- Python for Network Penetration Testing: Best Practices and Evasion Techniques
- Python for network penetration testing: Hacking Windows domain controllers with impacket Python tools
- Python Language Basics: Variables, Lists, Loops, Functions and Conditionals
- How to Mitigate Poor HTTP Usage Vulnerabilities
- How to Exploit Poor HTTP Usage
- Introduction to HTTP (What Makes HTTP Vulnerabilities Possible)
- How to Mitigate Integer Overflow and Underflow Vulnerabilities
- How to exploit integer overflow and underflow
- Introduction to Parallel Processing
- What are Race Conditions?
- How Are Credentials Used In Applications?
- How To Exploit Least Privilege Vulnerabilities
- XSS Vulnerabilities Exploitation Case Study
- What is is integer overflow and underflow?
- SQL Injection Vulnerabilities Exploitation Case Study
- How to exploit improper error handling
- Improper Error Handling Exploitation Case Study
- Why Improper Error Handling Happens
- How to exploit CSRF Vulnerabilities
- How to mitigate CSRF Vulnerabilities
- What Causes Command Injection Vulnerabilities? (How are Data and Code Handled in Execution Environments)
- Command Injection Vulnerabilities
- Command Injection Vulnerabilities Exploitation Case Study
- How to mitigate Command Injection Vulnerabilities
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Secure coding