XML External Entity (XXE) Processing

Many older or poorly configured XML processors evaluate external entity references within XML documents.

Security Assessment

Security_Assessment_XXE

CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L/CR:H/IR:H/AR:H/MAV:N/ MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H

Vulnerability Information

Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.

Guides

An XXE vulnerability exists when a web application parses XML documents from an untrusted source. If the underlying XML parser accepts DTD an attacker can manipulate the XML document in a way that allows him to read files on the system. The following code snippet shows a malicious XML document that forces the application to read sensitive files on the server.

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE credentials [
<!ELEMENT credentials ANY >
<!ELEMENT user ANY >
<!ENTITY user SYSTEM "file:///etc/passwd">]>
<credentials>
<user>&user;</user>
<pass>mypass</pass>
</credentials>

A poorly configured XML parser would read the file which is specified in the DTD and possibly displays it to the attacker. In order to protect your web application from this kind of attacks, you can disable the entity loader for the XML parser as the below snippet shows.

libxml_disable_entity_loader(true);

Additionally, to disabling the entity loader it is recommended to use a local static DTD and remove any other DTD included in the XML document. 

For more information about Crashtest Security visit https://crashtest-security.com/.