XML external entity injection

By
Nash N Sulthan
Published on
19 Mar 2024
4 min read
Vulnerability

An XML external entity attack is an attack against an application that sends an XML input. This attack is countered when an XML input contains a reference to an external entity.

The entity is processed by a weakly configured XML parser. If a server contains a weakly configured XML parser, there is a possibility of XML external entity attack.

The XML external entity attack leads to the disclosure of confidential data, denial of service, server-side request forgery and port scanning.

Example

The code below is a XML resource that cannot be returned.

  <?xml version="1.0" encoding="ISO-8859-1"?> 
  <!DOCTYPE foo [  

  <!ELEMENT foo ANY > 
  <!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</f 

What are the impacts of XML external entity (XXE) injection?

When exploited, XXE can have significant impacts on the security and functionality of an application. Here are some of the key impacts of XML External Entity Injection:

1. Information disclosure

XXE attacks can lead to the disclosure of sensitive information such as configuration files, credentials, and data from local files accessible to the server.

2. Data tampering and manipulation

Attackers can modify XML documents by injecting malicious external entities, potentially leading to data corruption, unauthorized data changes, or the introduction of malicious content.

3. Denial of Service (DoS)

Maliciously crafted XXE payloads can lead to resource exhaustion, causing the application to become unresponsive or crash. This can be used as a DoS attack.

4. Server-Side Request Forgery (SSRF)

XXE can be used to make HTTP requests to internal or external services. If the application has access to sensitive internal resources, this can result in SSRF vulnerabilities.

5. Remote Code Execution (RCE)

In some cases, XXE vulnerabilities can be leveraged to execute arbitrary code on the server, leading to full compromise of the application or system.

6. System information leakage

XXE attacks can be used to leak information about the server’s file system, software versions, and directory structures.

7. Data exfiltration

Attackers can exfiltrate data by including external entities that send sensitive information to an attacker-controlled server.

8. Compliance and regulatory issues

Data breaches resulting from XXE attacks can lead to legal and regulatory consequences, including fines and sanctions for non-compliance with data protection laws.

9. Extended attack surface

Attackers may discover additional vulnerabilities or weaknesses in the application because of an XXE attack.

10. Regulatory penalties

Organizations may be subject to fines and penalties for failing to protect sensitive data or for not addressing XXE vulnerabilities in compliance with relevant regulations.

How do you prevent XML external entity injection?

Here are some effective preventive measures and mitigation strategies:

1. Disable External Entity processing

In most cases, the safest approach is to disable the processing of external entities entirely. In Java, for example, you can set the following properties to disable XXE:

  • factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

2. Use a safe XML parser

Employ XML parsers that have built-in protection against XXE vulnerabilities.

For instance, using a parser like javax.xml.transform.sax.SAXTransformerFactory with secure settings can help prevent XXE.

3. Input validation and whitelisting

Validate and sanitize user input to ensure that XML data doesn’t contain external entity references or malicious content.

Implement a strict whitelist of allowable XML elements and attributes, rejecting anything not on the list.

4. Use XML schema validation

Utilize XML Schema (XSD) or Document Type Definitions (DTDs) to validate incoming XML against a predefined structure, which helps to block maliciously crafted XML content.

5. Disable DTD processing

If DTDs are not needed, disable DTD processing altogether. In Java, you can set the feature to disable DTD processing:

  • factory.setFeature(“http://apache.org/xml/features/disallow-doctype-decl”, true);

6. Content Security Policies

Implement content security policies (CSPs) to restrict the sources from which XML content can be loaded.

7. Avoid inclusion of untrusted XML

If possible, avoid including XML from untrusted sources altogether, and use other data exchange formats like JSON or plain text for external data.

8. Patch and update libraries

Keep XML libraries and parsers up to date with security patches. Vulnerabilities may be patched in newer versions.

9. Web Application Firewalls (WAFs)

Consider using WAF to filter and block malicious requests that may contain XXE payloads.

Remember that preventing XXE requires a multi-layered approach, with both technical controls and secure coding practices.

While it’s crucial to implement these measures, staying informed about emerging XXE vulnerabilities and staying up to date with the latest security best practices is equally important to keeping your systems secure.


Written by
Nash N Sulthan
Nash N Sulthan
Cyber Security Lead Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days