What is an XXE (XML External Entity) attack?
Any application that parses XML input can become prey for an XXE (XML External Entity) attack. An XML parser of a weak configuration is more vulnerable to such attack because it becomes open to threats when it processes the XML input having a reference to an external entity. An XXE attack can leak some confidential data, DOS (denial of service), port scanning of the machine having a parser, and forgery in server side request, having severe impacts. An XML document has a standard, and its version 1.0 defines the term ‘entity’ that refers to a storage unit of a particular type
The entities are of different types like the parameter parsed, or external general entity (abbreviation – ‘external entity’) can dereference (access) remote and local content through a system identifier. An XML processor accesses the URL/URI to while processing the external entity. Later on, the XML processor substitutes the named external entities at all occurrences by the content accessed by the system identifier. If the data in the system identifier has some infections, then the XML processor can reveal any confidential information after dereferencing this infected data. Usually, this sensitive information is not accessible by the application, but due to the attack, it gets vulnerable. Similar external resource insertion attacks are possible where the use of external stylesheets, schemas, DTDs (Document Type Definition), etc. is made
The attacks can comprise and reveal local files having sensitive data like a user’s private data or passwords by utilising files like relative paths or schemes in the system identifier. A hacker can use the trusted application to hinge at other internal systems, probably showing other confidential content; by initiating a CSRF attack for any one of the insecure internal services or through HTTP(S) requests
Some cases of attacks also include the situation where an XML processor library is getting susceptible to the corruption issues of the client-side memory. The libraries can get exploited because of accessing a malicious URL/URI. This exploitation may lead to the execution of a random code under the account of that application
Further, some other attacks can get access to the local resources, which may continuously return data causing a blockage at one period. It can impact the application resource availability as so many instances/processes/threads will get engaged and not releasing them will create a shortage; causing the application to hang. Although, any hacker can attack the application even if it doesn’t return any response to him. The application is still vulnerable and can reveal secret information. Also, the hacker can leverage the information from DNS to withdraw any data and transfer it from subdomains to a DNS server which the attacker handles
How to recognise XXE vulnerabilities?
The essential yet straightforward reply to this question is to find those endpoints/codes which need XML input for their functioning. But, there are always exclusions. You may sometimes have a chance to see a few cases where just the endpoints accepting XML inputs are not the apparent entrances for hackers. You must also consider the examples of the situations where the client machine accesses the services using only JSON scripts. So for different cases, a quality analyst needs to validate the application’s functionality by trying various inputs. The application’s response and working can be checked by changing the HTTP techniques, content-type, parameters, etc. If the application parses any such infected inputs easily, then it is utterly vulnerable to the XXE attacks
Few Techniques to Prevent the XXE Attacks
Now that we have known what an XXE attack is and how to identify it, we should also be aware of some techniques to prevent it. This XXE attack is dangerous and it has been there for quite some years, but it has gained attention now. It is listed in the OWASP top 10 list of application attacks which you should beware of
Let us have a look at the techniques which you can use to prevent the XXE attack
- You should use a bit simple data formats like JSON. Using JSON/PJSON is easier while creating a new service or an app. Changing/replacing the codes in the previously made applications is a bit tedious job. Majorly, the Microservices and APIs are all turning towards JSON/PJSON as an efficient alternative to XML
- Updating security patches of the libraries used by the application is very essential. You have to make sure that no code or script broke the application and hampered its functionality. Ensuring proper functioning of the application by executing regression testing is crucial
- You can disable the XML external entity and DTD transfer in all the XML parsers of that particular application. But, be cautious! You should first ensure that they aren’t required anywhere else in your app
- The last solution in this list is to implement whitelisted filtering, server-side input validation, or sanitisation that can prevent any intimidating data inside the XML header, documents, or nodes
These were the details about the XXE attacks (XML External Entity attacks). Hope you learned about them and these tips come handy to you. If not, getting help from an expert on security is always recommended