How to Prevent XML External Entities?
Custom-defined XML entities that are loaded externally and parsed by weak XML parsers, XXE vulnerabilities as they are better known, are extremely dangerous. In 2017, millions of applications, computers, and servers used to develop, test, and analyze Android applications were put at risk owing to the flaws that allowed XML entities with external references to be parsed/ read by the XML parser of an APKTool.
In the article, a detailed understanding of XML entities, XXE vulnerabilities, and their prevention will be provided.
What are XML and XML Entities?
XML or Extensible Markup Language is designed and used to represent, store and share structured information (such as documentation, data, invoices, transactions, etc.) in simple text-based format (tags) that are both human- and machine-readable.
The declarations defining the structure of the XML document, data values contained in it, etc. are contained in the Document Type Declaration/ DOCTYPE declaration/ DTD. This can be contained within the document itself, have external references, or be a mix of both.
In XML format documents, data is represented using XML entities, which are built into the language as specifications. These entities can be custom-defined, located outside the DTD, and loaded from external sources such as local files, URI, etc. Such XML inputs with external references are known as XML external entities.
What is an XXE Vulnerability?
XXE Vulnerabilities are known to occur when XML External Entities are supported by an application and parsed by weak XML parsers/ processors, providing attackers with immense flexibility and a fertile ground to orchestrate XXE attacks.
Why are XML External Entities Dangerous?
Several Kinds of Malicious Activities Are Enabled by XXE Injection Attacks
- Unauthorized access to confidential data, server filesystems, backend/ external systems, etc.
- Data corruption.
- DoS attacks that exhaust network/ server resources and cause website crashes/ downtimes.
- Remote code execution
- Cross-site forgery that compromises the underlying server/ other backend infrastructure.
- Network attacks
Flexibility and Extensibility are Double-Edged Swords
The sender and receiver can agree upon newly-defined XML entities (custom entities, markup symbols, entities with varying values, etc.) and message formats during runtime owing to the extraordinary flexibility and extensibility. However, these very advantages are leveraged by attackers to load XML External Entities that are custom-crafted to fulfill their malicious motives.
Weakly Configured XML Parsers
Typically, XML parsers (especially traditional ones) are not designed to verify/ check content, thereby, allowing all kinds of values/ markup symbols in the parsed/ resolved entity including external DTD. Several attack vectors are made possible owing to such a misconfiguration.
How to Prevent XML External Entities?
Leveraging Automation for Identification of XXE
A majority of XXE vulnerabilities are identified reliably, swiftly, and accurately by an intelligent, automated, and hassle-free web application scanner backed with Global Threat Intelligence, such as the one offered by AppTrana.
Application Security Testing Performed by Security Experts
Some kinds of XML External Entities are not identified by automated web scanning tools such as blind XXE, file retrievals, and XInclude attacks. In such cases, application security testing must be performed manually by certified security experts.
Managed WAF with Custom-Defined Rules
Traditional WAFs are bypassed rather easily by attackers exploiting the XXE vulnerabilities in the application. A managed, intuitive, and comprehensive Web Application Firewall, such as the one from AppTrana, that supports customization of policies is essential in preventing XXE attacks.
Signature and behavioral analysis along with other security methodologies are used by AppTrana to effectively detect and block XXE attack vectors. Equipped with Global Threat Intelligence, emerging threats are automatically blocked by AppTrana. A combination of whitelisting and blacklisting rules is used to ensure malicious payloads are not executed by the server/ application.
Disabling DTD Support
External DTD is designed to be utilized by trusted parties. However, it is a legacy feature and often, leveraged by malicious actors to attack web applications. Disabling DTD is an effective way to prevent XXE attacks. When it is not possible, at least the external entities’ feature must be disabled.
Other measures to prevent XML External Entities
- Apart from disabling features that weaken them, the XML processors and libraries used in the application must be patched and updated always.
- All file uploads, server-side user inputs, and URLs must be sanitized and validated before being parsed by the XML processor.
- The principle of least privilege for server processes must be ensured.
XXE vulnerabilities have devastating impacts, despite their medium prevalence. As a result of the high risks attached, they have been placed on #4 in the OWASP Top 10 vulnerabilities list. XML entities with external references/ XXE Vulnerabilities must be effectively prevented for a stronger security posture and continuous availability of the application.