Update: The new OWASP Top 10 of 2021 has been proposed, and the new list has moved XXE into the Security Misconfigurations group and ranks as #5.
XXE, one of the vulnerabilities on OWASP‘s Top 10 list, allows attackers to abuse external entities when an XML document is parsed. If this happens, the attacker can read local files on the server, force the parser to make network requests within the local network, or use recursive linking to perform a DoS attack. OWASP is a non-profit organization with the goal of improving the security of software and the internet. We cover their list of the ten most common vulnerabilities one by one in our OWASP Top 10 blog series.
The first version of XML was released in 1996, a time when security was not as prioritised as it is today.
XML is a data structure similar to JSON. It contain names of fields and their value. In addition to just storing strings, it can also contain links to other files or resources and this is where the problem arises. When the XML document is parsed, the XML parser will follow the link and read the linked document. Assuming the attacker can see the output of the parsed XML document, this gives them the ability to read local files on the server.
Such an attack is called XXE – XML External Entities, as it abuses those external entities/links.
XML is widely used. In some image files, it holds metadata, but it is also used in PDF documents, among other things. As such, it is not always obvious that an application is parsing XML.
OWASP rates the prevalence of XXE vulnerabilities as medium. It is not the most common OWASP category, but the severance is high which still places it high up on the Top 10 list.
The most common XXE use case is to read local files on the server. This file is then either shown to the attacker directly on the website or sent to a server controlled by them.
As it is possible to not only link local resources but also those hosted online, XXE can lead to SSRF, i.e. forcing the parser to make network requests within the local network. Security within the local network is often much weaker, leading to the possibility of further escalation for the attacker.
Using recursive linking can also lead to DoS, the most common way to do this is called the Billion Laughs Attack. In short, it is possible to force the XML parser to consume all the server’s resources until it crashes.
Two of the founders of Detectify once found this vulnerability on Google. Using Google Toolbars, they were able to upload their own XML document to customise some buttons. The XML parser for this was vulnerable to XXE, so they were able to successfully read local files from one of Google’s production servers.
How to discover
The easiest way to test for this vulnerability is to upload an XML document that tries to read an innocent local file, and see whether it succeeds. This is not enough if there are additional protections to bypass and should therefore not be fully trusted.
A more proper way to do this is to go through the configuration for the XML parser and make sure External Entities are disabled, see more under below under Remediation.
How Detectify can help
XXE is one of the several hundred vulnerability types that Detectify looks for during each web application scan. Run a security scan today and minimize the risk of being vulnerable!
XXE is easy to exploit. All the attacker needs is the ability to upload XML documents that are then parsed. Exploiting the vulnerability does not require much skill beyond this.
When the following XML file is parsed and the result displayed to the user/attacker, it will contain the data of file://etc/passwd. /etc/passwd is a file on Linux systems that contains all the users and in this example, acts as a proof of concept that information can be read from the server.
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <foo>&xxe;</foo>
<foo></foo> is the field that will be used by the web server. In this example the value is a reference to xxe, which in turn points to the file /etc/passwd.
As such, when the server parses this, it will read the content of /etc/passwd and act as if <foo></foo> contains that data.
If you use XML just as simple data storage, it might be possible to switch to a less complex data format, such as JSON, and avoid the risk of being vulnerable to XXE.
If you need the features offered by XML, make sure to patch and upgrade all XML parsers and third-party libraries that use them. As this problem has recently become more widely discussed, later versions often include security improvements.
Completely disable DTDs, i.e. External Entities. This is what those external links are called and they should be disabled if the application does not use the feature. Depending on the parser, this is sometimes disabled by default, but most often it is not.