XML External Entity (XXE)

All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
of 13

Please download to get full document.

View again

External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
  • 1. XML External Entity (XXE) -Jay Thakker Associate IS Analyst
  • 2. XML Basics  XML is a markup language used for  Describing data.  Carry data between two nodes.  Due to its usage it became a standard for exchanging structured data in textual format
  • 3. XML Basics  Format of XML document is defined either by Document Type Definition (DTD) or XML Schema  A XML document is  Well Formed: if document adheres to XML syntax and specification  Valid: If document adheres to the DTD or XML Schema  A DTD defines the structure and the legal elements and attributes of an XML document, which is defined as <!DOCTYPE name [ inner elements ]>  With a DTD, independent groups of people can agree on a standard DTD for interchanging data.
  • 4. XML Basics Order.dtd Order.xml
  • 5. XML Basics  XML Schema contains the definition of data structure
  • 6. XML Basics  XML Parsers validates the document and check that the document is well formatted  XML Parser is designed to read the XML and create a way for programs to use XML.
  • 7. XML Attacks  Basic Architecture on where XML Attacks are performed Browser / Back-end applicationBrowser XXE XML / Fragment Injection
  • 8. Identification Point of XXE  Entities in XML  Entities are used to define shortcuts to special characters.  Entities can be declared internal or external.  Syntax for defining Entities  <!ENTITY entity-name "entity-value">  <!ENTITY entity-name SYSTEM "URI/URL">  There are two ways for identifying XXE  If an input xml parameter is reflecting back in response  Parser error messages
  • 9. Demo
  • 10. Impact of XXE  Denial of Service (DoS)  Remote Code Execution (RCE)  Cross Site Port Attack (XSPA)  Cross Site Scripting (XSS)
  • 11. Mitigation  The safest way to prevent XXE is always to disable DTDs (External Entities) completely. Depending on the parser, the method should be similar to the following: factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);  For language or parser specific mitigation below link can be referred. http://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
  • 12. Reference links, documents for R&D  http://www.owasp.org/images/5/5d/XML_Exteral_Entity_Attack.pdf  http://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing  http://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet  http://phonexicum.github.io/infosec/xxe.html (WAF BYPASS and other advanced techniques)  http://www.vsecurity.com//download/papers/XMLDTDEntityAttacks.pdf
  • 13. Thank You
  • Related Search
    We Need Your Support
    Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

    Thanks to everyone for your continued support.

    No, Thanks
    One Direction - Perfect. | Blochin (2) | Watch Now