Sunday, January 3, 2016

What is an XML External Entity Attack ?

An XML External Entity Attack or XXE Attack is a type of computer security vulnerability found in many web applications. The attack occurs when an XML input that contains a reference to an external entity is processed by a weakly configured XML parser.

Let's discuss this in detail.

XML External Entity or XXE Attack

XML or External Markup Language is a format used to describe the structure of a document, such as webpages. An entity in an XML document maps some name to a value. It uses the following syntax :

<!ENTITY entityName "The text you want to appear when the entity is used">

An external entity is declared with a URI. The URI is derefenced by an XML processor when processing the entity.

For example,

<?xml version="1.0" ?>
<!DOCTYPE author_info [
  <!ELEMENT book ANY>
  <!ENTITY book SYSTEM "file:///author/book">

In the above example, book is an external entity which is declared by the URI file:///author/book. When the XML will be parsed by the XML processor, 'book' will contain the contents of the file /author/book.

In an XXE attack, the attacker exploits this functionality to perform DoS attack or steal sensitive information.

For example,

<?xml version="1.0" ?>
<!DOCTYPE foo [
  <!ELEMENT bar ANY>
  <!ENTITY bar SYSTEM "file:///dev/random">

In the above example, the URI of the external entity is accessing a local source which may not return. As a result, if this XML is processed with a weakly configured XML processor it will exhaust the resources of the system, resulting in a DoS or Denial of Service Attack.

In another example,

<?xml version="1.0" ?>
<!DOCTYPE passwd [
  <!ELEMENT passwd ANY>
  <!ENTITY passwd SYSTEM "file:///etc/passwd">

Here, content of /etc/passwd will be stored in xxe, which can be later transferred
 back to the attacker, thus revealing sensitive information.

Countermeasures for XXE Attack

One should configure the XML processor properly. One effective method of 
preventing XXE attack is to configure XML parser not to allow DOCTYPE 
This can be done by setting “disallow-doctype-decl” in the parser.

With this settings, if the input contains a DOCTYPE declaration, parsing will stop 
and prevent the exposure of sensitive information.

This setting is also preferred as it guards against XEE Attack.

So, beware of various vulnerabilities. And stay safe, stay secured.

No comments:

Post a Comment