Improper neutralization of XML entities ('Xml Entity Injection')

javascript.xml_entity_injection

Severity

critical

Resource

Injection

Language

JavaScript

Description

Improper Neutralization of XML entities ('Xml Entity Injection')

The XML Entity Injection (XXE) vulnerability exploits the Document Type Definition (DTD) feature of XML parsers. External entities define a way to include content from an external source or file into an XML document. When a parser processes these entities, it can result in unintended exposure of files or services being queried.

Rationale

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.

This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts. Even remote command execution is possible in the worst case!

Some examples of attack payloads follow:

<!--
  denial-of-service if the XML processor does not limit
  the size of content from external entities
-->
<!DOCTYPE foo [
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM  "file:///dev/random" >]>
<foo>&xxe;</foo>

<!-- exfiltrate sensitive files -->
<!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>

Remediation

To remediate XML Entity Injection vulnerabilities, follow these best practices:

Disable External Entities: Configure your XML parsers to disable external entity processing. This is crucial in preventing any external entity exploitation.

Ensure that attempts to use external entities or DTDs will fail by setting the appropriate features in the parser factory configuration.
Validate Input: If your application must use DTD or external entities for legitimate purposes, implement strict validation and sanitization. Validate the input to ensure only expected XML structures are processed.
Use a Secure Parser: Consider using high-level XML libraries or APIs that handle parsing securely by default, and always keep them updated to take advantage of security improvements.

Implementing these strategies will adequately safeguard the application from XML Entity Injection attacks.

Configuration

The detector has the following configurable parameters:

sources, that indicates the source kinds to check.
neutralizations, that indicates the neutralization kinds to check.

Unless you need to change the default behavior, you typically do not need to configure this detector.

References

CWE-611 : Improper Restriction of XML External Entity Reference.
CWE-776 : Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion').
XML External Entity Attacks.
XML External Entity Prevention Cheat Sheet, in OWASP Cheat Sheet Series.