OWASP category: MASVS-CODE: Code Quality
Overview
An XML eXternal Entity injection (XXE) is an attack against applications that parse XML input. An XXE attack occurs when untrusted XML input with a reference to an external entity is processed by a weakly configured XML parser. This attack can be used to stage multiple incidents, including denial of service, file system access, or data exfiltration.
Impact
When an application parses an XML document, it can process any DTDs (Document Type Definitions, also known as external entities) contained within the document. An attacker can exploit this behavior by injecting malicious code as DTDs. This code can then access parts of the file system of the device, only accessible to the application and potentially containing sensitive data. Furthermore, this malicious code can make requests from the device, potentially bypassing perimeter security measures.
Lastly, if the application expands DTDs, this can create a situation with multiple iterations of referenced entities, exhausting the resources of the device and leading to a denial of service.
Mitigations
Disable DTDs
The safest way to prevent XXE is to always disable DTDs (external entities) completely. Depending on the parser in use, the method could be similar to the following example for the XML Pull Parser library:
Java
XmlPullParserFactory factory = XmlPullParserFactory.newInstance();
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
Kotlin
val factory = XmlPullParserFactory.newInstance()
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
Disabling DTDs also makes the parser secure against denial of service attacks. If it is not possible to disable DTDs completely, then external entities and external document type declarations must be disabled in a way that's specific to each parser.
Because of the large number of XML parsing engines in the market, the ways to prevent XXE attacks differ from engine to engine. You may need to refer to your engine documentation for more information.
Perform input sanitisation
The application should be reconfigured so that it does not allow users to inject arbitrary code in the XML document's preamble. This has to be verified server-side, as client-side controls can be bypassed.
Use a different library
If the library or method used cannot be configured in a secure manner, a different one should be considered. XML Pull Parser and SAX Parser can both be configured in a secure manner, disallowing DTDs and entities.
Resources
- OWASP XXE
- OWASP XXE Prevention Cheat sheet
- XML Constants: FEATURE_SECURE_PROCESSING
- XML Pull Parser
- SAX Parser