Page tree
Skip to end of metadata
Go to start of metadata

Security Assessment


Risk Probability Impact
9.8 3.9 5.9

CSVV Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L/CR:H/IR:H/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H




Vulnerability Information


Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.



Guides


A XXE vulnerability exists when a web application parses XML documents from an untrusted source. If the underlying XML parser accepts DTD an attacker can manipulate the XML document in a way that allows him to read files on the system. The following code snippet shows a malicious XML document that forces the application to read sensitive files on the server.

Malicious XML document
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE credentials [
<!ELEMENT credentials ANY >
<!ELEMENT user ANY >
<!ENTITY user SYSTEM "file:///etc/passwd">]>
<credentials>
	<user>&user;</user>
	<pass>mypass</pass>
</credentials>

A poorly configured XML parser would read the file which is specified in the DTD and possibly display it to the attacker. In order to protect your web application from this kind of attacks  you can disable the entity loader for the XML parser as the below snippet shows.

Disable Entity Loader
libxml_disable_entity_loader(true);

Additionally to disabling the entity loader it is recommended to use a local static DTD and remove any other DTD included in the XML document. 


Table of Contents

Contribute


You are facing an issue that is not covered in our guides, we are happy to include solutions here. Please send us an e-mail to support@crashtest-security.com.



Crashtest Security


Crashtest Security is a Munich, Germany based start-up that redefines web application vulnerability scans.  The Crashtest Security Suite is differentiating itself as a fully automated vulnerability scanner enhanced with artificial intelligence developed for the needs of the agile developer or SecDevOps. Clear vulnerability insights are provided as well as contextual actionable insights for risk mitigation. 




  • No labels