XML External Entity Injection

Severity: High
Summary#

Invicti detected a Possible XML External Entity (XXE) injection.

The standard that defines the structure of an XML document also defines 'built-in entities', which can be thought of as predefined variables that store some types of data. Entities are used to present meta characters that have a special meaning in an XML document context (such as <, >, ", =, and &). Instead of using these characters directly in an XML document, we use their entity presentation so as not to break the XML parser. For instance &gt; is used instead of the > character (it is used as an opening tag for an XML element); &quot; is used instead of " (it is used as a delimiter for XML element attributes). If the input contains these special characters and they are added into an XML document, the XML parser cannot determine whether these characters are part of the document structure itself or have been added later. As a result, the XML parser evaluates the characters with their special meaning in an XML document context.

<?xml version="1.0" encoding="UTF-8"?>

<math><information>4&gt;3</information></math>

In addition to those built-in entities, XML also allows us to define and use different types of entities. External Entities is one that can be defined by the user.

External Entities can access local or remote content when they are defined in the XML document via the SYSTEM identifier. The XML processor then replaces occurrences of a named external entity with the contents dereferenced by the SYSTEM identifier. If the SYSTEM identifier contains tainted data and the XML processor dereferences this tainted data, the XML processor may disclose confidential information not normally accessible by the application, or XML parsers may make a request to an internal or external resource.

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>

<notification><email>&xxe;</email></notification>
Impact#

Using an XXE Injection, an attacker can read files on the server.

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>

<notification><email>&xxe;</email></notification>

An attacker using an XXE Injection can also then use to make a request to internal or external resources. It can lead the server to SSRF.

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://192.168.2.5/server-status"> ]>

<notification><email>&xxe;</email></notification>

Attackers can conduct port scanning either on the server itself or on another resource.

<?xml version="1.0" encoding="utf-8"?>

<!DOCTYPE data SYSTEM "http://127.0.0.1:21/">

<foo>bar</foo>
Remediation#

Please see the following code snippets for the most used programming languages and libraries:

  • StAX and XMLInputFactory

    Set the javax.xml.stream.isSupportingExternalEntities property to false.
  • .NET 3.5

     

    XmlReaderSettings settings = new XmlReaderSettings();
    settings.ProhibitDtd = true;
    XmlReader reader = XmlReader.Create(stream, settings);
    
  • .NET 4.0

    XmlReaderSettings settings = new XmlReaderSettings();
    settings.DtdProcessing = DtdProcessing.Prohibit;
    XmlReader reader = XmlReader.Create(stream, settings);
    
  • PHP

    libxml_disable_entity_loader(true);
    
OR

Search Vulnerability

Build your resistance to threats. And save hundreds of hours each month.

Get a demo See how it works