If not redirected, please click here https://www.thesecuritybuddy.com/dos-ddos-prevention/what-is-xxe-or-xml-external-entity-attack/
An XML External Entity Attack or
XXE Attack is a type of computer security vulnerability found
in many web applications. The attack occurs when an XML input that
contains a reference to an external entity is processed by a weakly
configured XML parser.
Let's discuss this in detail.
XML External Entity or XXE Attack
XML or External Markup Language
is a format used to describe the structure of a document, such as
webpages. An entity in an XML document maps some name to a
value. It uses the following syntax :
<!ENTITY
entityName "The text you want to appear when the entity is
used">
An
external entity is declared with a URI. The URI is derefenced
by an XML processor when processing the entity.
For
example,
<?xml version="1.0" ?>
<!DOCTYPE author_info [
<!ELEMENT book ANY>
<!ENTITY book SYSTEM "file:///author/book">
]>
<book>&book;</book>
In
the above example, book is an external entity which is declared by
the URI file:///author/book. When
the XML will be parsed by the XML processor, 'book' will contain the
contents of the file /author/book.
In
an XXE attack, the attacker exploits this functionality to
perform DoS attack or steal sensitive information.
For
example,
<?xml version="1.0" ?>
<!DOCTYPE foo [
<!ELEMENT bar ANY>
<!ENTITY bar SYSTEM "file:///dev/random">
]>
<bar>&xxe;</bar>
In
the above example, the URI of the external entity is accessing a
local source which may not return. As a result, if this XML is
processed with a weakly configured XML processor it will exhaust the
resources of the system, resulting in a DoS or Denial of Service
Attack.
In
another example,
<?xml version="1.0" ?> <!DOCTYPE passwd [ <!ELEMENT passwd ANY> <!ENTITY passwd SYSTEM "file:///etc/passwd"> ]> <passwd>&xxe;</passwd> Here, content of /etc/passwd will be stored in xxe, which can be later transferred
back to the attacker, thus revealing sensitive information.
Countermeasures for XXE Attack
One should configure the XML processor properly. One effective method of
preventing XXE attack is to configure XML parser not to allow DOCTYPE
declarations.
This can be done by setting “disallow-doctype-decl” in the parser.
With this settings, if the input contains a DOCTYPE declaration, parsing will stop
and prevent the exposure of sensitive information.
This setting is also preferred as it guards against XEE Attack.
So, beware of various vulnerabilities. And stay safe, stay secured.
No comments:
Post a Comment