These docs are for v1.1. Click to read the latest docs for v1.2.

XML External Entity Injection

Severity: High
Test name: XML External Entity Injection
Summary

XML External Entity vulnerability allows an attacker to upload an XML file with a reference to an external entity without validation. The attacker exploits weakly configured XML parsers, which process the XML code. The attack can lead to gaining confidential information and even to Remote Code Execution (RCE).

Impact

The vulnerability may expose the application to the following attack vectors:

  • Gain sensitive information
  • Disclose internal content via HTTP(S) requests or launch a CSRF attack to any unprotected internal services
  • Execute a malicious URL, possibly allowing the arbitrary code to be executed under the application account
  • Cause denial of the services (DoS)
Example

Example 1: Accessing a local resource

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE credentials [
    <!ELEMENT credentials (user, password)>
    <!ELEMENT user (#PCDATA)>
    <!ELEMENT password (#PCDATA)>
    <!ENTITY xxe SYSTEM  "file:///etc/passwd" >
]>
<credentials>
    <user>&xxe;</user>
    <password>mypass</password>
</credentials>

Example 2: Remote code execution

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ 
    <!ELEMENT foo ANY >
    <!ENTITY xxe SYSTEM "expect://id" >
]>
<credentials>
    <user>&xxe;</user>
    <password>mypass</password>
</credentials>
Location

The issue can be found in the source code on the server side.

Remedy suggestions
  1. Disable Document Type Declaration (DTD) completely.
  2. If it is not possible to disable DTD completely, then external entities and external document type declarations must be disabled according to each specific parser.
    • PHP
    libxml_disable_entity_loader(true);
    
    • Java (Xerces)
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
    dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
    dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
    
Classifications
  • CWE-611
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
References