By Mikhail Sudakov, Cyber Security Architect and Analyst, LEO Cyber Security.
As the following meme suggests, if you fail to disallow arbitrary execution or even inclusion of untrusted instructions in your programs, you really are going to have a bad time that will likely cost you dearly at some point.
A4 – XML External Entities (XXE)
“Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.” – (OWASP).
XXE occurs when an XML processor is able to include external code (entities) before parsing and executing the instructions; and, it can be quite vicious. Some of the end-results could even be data exfiltration and Denial-of-Service attacks. Doesn’t sound nice, does it? It is great that OWASP included XXE in its last edition of Top 10 as it is quickly becoming a problem.
Don’t we all have an older system still running in our infrastructure, for years now, that nobody really seems to notice or think about anymore? And those who do know about it treat it like a millennium-old artifact? It is not uncommon for some of those systems to be running an out-of-date XML-based web service. That would be just splendid news for the adversary lurking nearby! Older XML processors are likely to be vulnerable to XXE, especially if they had not been properly configured at the time.
As OWASP recommends, patches or upgrades must be immediately applied to the older XML processors and, if using SOAP, it should be brought to at least v1.2. Moreover, a crucial step is to disable XML external entity inclusion and the processing of document type definitions (DTDs). Be sure to consult the OWASP Cheat Sheet for XXE Prevention to confirm all the details. In addition, blacklists just don’t work well and shouldn’t be relied on. Only positive validation (whitelisting) should be implemented on the server to prevent untrusted instructions from being referenced or included.