An XXE attack is a type of cyberattack that targets an application that parses XML input. This attack takes advantage of a feature of XML parsers that is rarely used but widely available. To cause DoS or Denial of Service, attackers use XXE or XML External Entity. It also leads to the collection of remote and local content and services. In simple terms, an XEE attack is a web security vulnerability that allows an attacker to interfere with the processing of XML Data applications. It is a dangerous attack and has the capability to destroy any large or small organization so to make sure that our security is up to the mark we can make use of threatscan which is a product developed by the cyber security hive and has successfully kept organizations safe from XXE attacks. ThreatScan’s automated engine and fully managed manual penetration test, we test over 120+ different checklists which includes owasp top 10 and additional checks designed for your web application. ThreatScan is considered to be one of the best penetration testing as a service platform in the industry
What is XML External Entities?
XML External Entity is an attack against an XML input parsing application, according to OWASP. XML External Entity Injection is another name for it. When a reference to an external entity containing XML input is possessed by an XML parser that is weakly configured, this attack occurs due to web security vulnerability. This attack causes denial of service, confidential data disclosure, port scanning from the machine where the parser is located, server-side request forgery, and other system impacts.
Conditions required for these kinds of Attacks
- When an application accepts XML inputs from untrusted data or uploads from untrusted sources into XML documents, it becomes vulnerable to the XXE vulnerability. After that, an XML processor parses it.
- It also occurs when Document Type Definitions are enabled in any XML processors in SOAP-based web services or applications. Disabling Document Type Definition processing differs depending on the processor. It’s always a good idea to consult a reference like OWASP Cheat Sheet’s ‘XXE Prevention.
- If an application uses SAML to process identity within a single sign-in SSO or federated security purposes, the chances of XXE attack is high. XML is used by SAML for identity assertions, which, in turn, may be vulnerable.
- If XML entities are passed to the SOAP framework in an application that uses SOAP before version 1.2, it may be vulnerable to XXE attacks.
- Susceptibility to XXE attacks denotes the application’s vulnerability to a denial-of-service attack.
Types of XXE Attacks
XXE for File Retrieval
An attacker can use the system identifier URL to craft a malicious request to gain access to sensitive file contents. The server may expose the contents of a file system in its response if the XML parser processes external entities. In the absence of effective security mechanisms, the attacker can gain access to credential files, system files, source code, and sometimes even directory listings of all integrations.
XXE FOR SERVER-SIDE REQUEST FORGERY (SSRF)
Attackers can use XXE payloads to gain indirect access to internal networks and launch attacks presenting as legitimate server requests. After executing XXE on one web server, the attacker can send HTTP requests to other internal subsystems, scheduling a full-fledged attack.
Data out-of-band exfiltration
Out-of-band (Blind XXE) attacks do not rely on the server’s immediate response. In this case, the XML processor is forced to send additional controlled requests to the server by an attacker. After that, the server is used to read the contents of the file that was intercepted during the attack.
Data Retrieval via Error Messages
Attackers can cause an XML parsing error containing the sensitive data they’re looking for. This method works only if the server includes the entire error message in its response.
XXE Attacks via file upload
Clients can upload files to certain applications, which the web server then processes and validates. If the file processing library supports XML subcomponents, the attacker can use malicious documents to gain access to the attack surface.
Specific XML content types are tolerated by some web servers. Attackers can expose the attack surface by reformatting POST requests to use XML if the application can accept requests with XML in the message body.
X Include Attacks
Some applications embed data into an XML document, which is then parsed, when a client submits data. Instead of controlling the entire XML document, attackers can use XInclude, which specifies the subcomponents that are used to construct XML documents. By referencing the XInclude namespace and a path to the file they want to include, these subcomponents can be included within any data value in the XML document.
Blind XXE Vulnerabilities
Attackers tend to define external entities using a URL to an application they target to control. Such vulnerabilities can be identified by monitoring traffic of various application interactions.
How to Prevent XXE Attacks?
Use simple data formats
Organizations should use a secure default configuration that allows simple data formats to be validated before being processed by the XML parser, such as JSON.
Use updated XML processes and libraries
The XML parser is weakened by older XML processors and libraries that use outdated document type definitions. To avoid parsing and the exposure of sensitive data, security teams should update their XML libraries and processors.
Disable Document Type Definition and XXE in all XML Parsers
Disabling Document Type Definition or external entity support ensures that no malicious payloads can be injected into the data transport protocol.
Use Whitelisting for Server-Side Input Validation
Whitelisting protects applications and networks from unauthorized entities and untrusted sources executing code remotely. This ensures that the XML parser can handle legitimate workloads and requests.
Utilize SAST Tools to Identify XXE Attack Surfaces in Source Code
While manual code review can assist teams in identifying potential attack surfaces, SAST tools automate the detection of vulnerabilities in source code and are widely regarded as one of the most effective ways to eliminate XXE vulnerabilities.