XML External Entity (XXE) Processing

Many older or poorly configured XML processors evaluate external entity references within XML documents.

Security Assessment

Security_Assessment_XXE

CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L/CR:H/IR:H/AR:H/MAV:N/ MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H

Vulnerability Information

Many older or poorly configured XML processors evaluate external entity referenceswithin XML documents. External entities can be used to disclose internal files usingthe file URI handler, internal file shares, internal port scanning, remote codeexecution, and denial of service attacks.

Guides

An XXE vulnerability exists when a web application parses XML documents from an untrusted source. If the underlying XML parser accepts DTD an attacker can manipulate the XML document in a way that allows him to read files on the system. The following code snippet shows a malicious XML document that forces the application to read sensitive files on the server.

xxe1

https://github.com/crashtest-security/gist/blob/master/xxe/malicious_xml_document

A poorly configured XML parser would read the file which is specified in the DTD and possibly display it to the attacker. In order to protect your web application from this kind of attacks  you can disable the entity loader for the XML parser as the below snippet shows.

xxe2

https://github.com/crashtest-security/gist/blob/master/xxe/disable_entity_loader

Additionally to disabling the entity loader it is recommended to use a local static DTD and remove any other DTD included in the XML document. 

For more information about Crashtest Security visit https://crashtest-security.com/.