Custom-defined XML entities that are loaded externally and parsed by weak XML parsers, XXE vulnerabilities as they are better known, are extremely dangerous. In 2017, millions of applications, computers, and servers used to develop, test, and analyze Android applications were put at risk owing to the flaws that allowed XML entities with external references to be parsed/ read by the XML parser of an APKTool.
In the article, a detailed understanding of XML entities, XXE vulnerabilities, and their prevention will be provided.
XML or Extensible Markup Language is designed and used to represent, store and share structured information (such as documentation, data, invoices, transactions, etc.) in simple text-based format (tags) that are both human- and machine-readable.
The declarations defining the structure of the XML document, data values contained in it, etc. are contained in the Document Type Declaration/ DOCTYPE declaration/ DTD. This can be contained within the document itself, have external references, or be a mix of both.
In XML format documents, data is represented using XML entities, which are built into the language as specifications. These entities can be custom-defined, located outside the DTD, and loaded from external sources such as local files, URI, etc. Such XML inputs with external references are known as XML external entities.
XXE Vulnerabilities are known to occur when XML External Entities are supported by an application and parsed by weak XML parsers/ processors, providing attackers with immense flexibility and a fertile ground to orchestrate XXE attacks.
The sender and receiver can agree upon newly-defined XML entities (custom entities, markup symbols, entities with varying values, etc.) and message formats during runtime owing to the extraordinary flexibility and extensibility. However, these very advantages are leveraged by attackers to load XML External Entities that are custom-crafted to fulfill their malicious motives.
Typically, XML parsers (especially traditional ones) are not designed to verify/ check content, thereby, allowing all kinds of values/ markup symbols in the parsed/ resolved entity including external DTD. Several attack vectors are made possible owing to such a misconfiguration.
A majority of XXE vulnerabilities are identified reliably, swiftly, and accurately by an intelligent, automated, and hassle-free web application scanner backed with Global Threat Intelligence, such as the one offered by AppTrana.
Some kinds of XML External Entities are not identified by automated web scanning tools such as blind XXE, file retrievals, and XInclude attacks. In such cases, application security testing must be performed manually by certified security experts.
Traditional WAFs are bypassed rather easily by attackers exploiting the XXE vulnerabilities in the application. A managed, intuitive, and comprehensive Web Application Firewall, such as the one from AppTrana, that supports customization of policies is essential in preventing XXE attacks.
Signature and behavioral analysis along with other security methodologies are used by AppTrana to effectively detect and block XXE attack vectors. Equipped with Global Threat Intelligence, emerging threats are automatically blocked by AppTrana. A combination of whitelisting and blacklisting rules is used to ensure malicious payloads are not executed by the server/ application.
External DTD is designed to be utilized by trusted parties. However, it is a legacy feature and often, leveraged by malicious actors to attack web applications. Disabling DTD is an effective way to prevent XXE attacks. When it is not possible, at least the external entities’ feature must be disabled.
Conclusion
XXE vulnerabilities have devastating impacts, despite their medium prevalence. As a result of the high risks attached, they have been placed on #4 in the OWASP Top 10 vulnerabilities list. XML entities with external references/ XXE Vulnerabilities must be effectively prevented for a stronger security posture and continuous availability of the application.
This post was last modified on July 28, 2023 15:57
Indusface has once again been recognized as a Gartner® Peer Insights™ Customers' Choice for Cloud… Read More
Protect your business from DDoS attacks with multi-layered DDoS defense, proactive threat modeling, rate limiting,… Read More
A Managed WAF is a comprehensive cybersecurity service offered by specialized providers to oversee, optimize,… Read More