Kingdom: Input Validation and Representation
Input validation and representation problems ares caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input. The issues include: "Buffer Overflows," "Cross-Site Scripting" attacks, "SQL Injection," and many others.
XML External Entity Injection
Abstract
Using XML parsers that are not configured to prevent or limit external entities resolution can expose the parser to an XML External Entities attack
Explanation
XML External Entities attacks benefit from an XML feature to build documents dynamically at the time of processing. An XML entity allows to include data dynamically from a given resource. External entities allow an XML document to include data from an external URI. Unless configured to do otherwise, external entities force the XML parser to access the resource specified by the URI, e.g., a file on the local machine or on a remote systems. This behavior exposes the application to XML External Entity (XXE) attacks, which can be used to perform denial of service of the local system, gain unauthorized access to files on the local machine, scan remote machines, and perform denial of service of remote systems.
The following XML document shows an example of an XXE attack.
This example could disclose the contents of the C:\winnt\win.ini system file, if the XML parser attempts to substitute the entity with the contents of the file.
The following XML document shows an example of an XXE attack.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///c:/winnt/win.ini" >]><foo>&xxe;</foo>
This example could disclose the contents of the C:\winnt\win.ini system file, if the XML parser attempts to substitute the entity with the contents of the file.
References
desc.controlflow.dotnet.xml_external_entity_injection
Abstract
The identified method allows external entity references. This call could allow an attacker to inject an XML external entity into the XML document to reveal the contents of files or internal network resources.
Explanation
XML External Entity (XXE) injection occurs when:
1. Data enters a program from an untrusted source.
2. The data is written to an <ENTITY> element of the DTD (Document Type Definition) in an XML document.
Applications typically use XML to store data or send messages. When used to store data, XML documents are often treated like databases and can potentially contain sensitive information. XML messages are often used in web services and can also be used to transmit sensitive information. XML messages can even be used to send authentication credentials.
The semantics of XML documents and messages can be altered if an attacker has the ability to write raw XML. In the most benign case, an attacker may be able to insert nested entity references and cause an XML parser consume ever increasing amounts of CPU resources. In more nefarious cases of XML external entity injection, an attacker may be able to add XML elements that expose the contents of local file system resources or reveal the existence of internal network resources.
Example 1:Here is some Objective-C code that is vulnerable to XXE attacks:
Assume an attacker is able to control
When the XML is evaluated by the server, the <foo> element will contain the contents of the
1. Data enters a program from an untrusted source.
2. The data is written to an <ENTITY> element of the DTD (Document Type Definition) in an XML document.
Applications typically use XML to store data or send messages. When used to store data, XML documents are often treated like databases and can potentially contain sensitive information. XML messages are often used in web services and can also be used to transmit sensitive information. XML messages can even be used to send authentication credentials.
The semantics of XML documents and messages can be altered if an attacker has the ability to write raw XML. In the most benign case, an attacker may be able to insert nested entity references and cause an XML parser consume ever increasing amounts of CPU resources. In more nefarious cases of XML external entity injection, an attacker may be able to add XML elements that expose the contents of local file system resources or reveal the existence of internal network resources.
Example 1:Here is some Objective-C code that is vulnerable to XXE attacks:
- (void) parseSomeXML: (NSString *) rawXml {
BOOL success;
NSData *rawXmlConvToData = [rawXml dataUsingEncoding:NSUTF8StringEncoding];
NSXMLParser *myParser = [[NSXMLParser alloc] initWithData:rawXmlConvToData];
[myParser setShouldResolveExternalEntities:YES];
[myParser setDelegate:self];
}
Assume an attacker is able to control
rawXml such that the XML looks like the following:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
When the XML is evaluated by the server, the <foo> element will contain the contents of the
boot.ini file.desc.semantic.cpp.xml_external_entity_injection
Abstract
Using XML parsers that are not configured to prevent or limit external entities resolution can expose the parser to an XML External Entities attack
Explanation
XML External Entities attacks benefit from an XML feature to build documents dynamically at the time of processing. An XML entity allows inclusion of data dynamically from a given resource. External entities allow an XML document to include data from an external URI. Unless configured to do otherwise, external entities force the XML parser to access the resource specified by the URI, e.g., a file on the local machine or on a remote system. This behavior exposes the application to XML External Entity (XXE) attacks, which can be used to perform denial of service of the local system, gain unauthorized access to files on the local machine, scan remote machines, and perform denial of service of remote systems.
The following XML document shows an example of an XXE attack.
This example could crash the server (on a UNIX system), if the XML parser attempts to substitute the entity with the contents of the /dev/random file.
The following XML document shows an example of an XXE attack.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>
This example could crash the server (on a UNIX system), if the XML parser attempts to substitute the entity with the contents of the /dev/random file.
References
[1] XML External Entity (XXE) Processing OWASP
[2] Testing for XML Injection OWASP
[3] XML External Entities The Web Application Security Consortium
[4] IDS17-J. Prevent XML External Entity Attacks CERT
[5] DOS-1: Beware of activities that may use disproportionate resources Oracle
[6] INJECT-5: Restrict XML inclusion Oracle
desc.semantic.java.xxe_injection
Abstract
Using XML processors that do not prevent or limit external entities resolution can expose the application to an XML External Entity attack.
Explanation
XML External Entity attacks benefit from an XML feature to dynamically build documents at runtime. An XML entity allows inclusion of data dynamically from a given resource. External entities allow an XML document to include data from an external URI. Unless configured to do otherwise, external entities force the XML parser to access the resource specified by the URI, such as a file on the local machine or on a remote system. This behavior exposes the application to XML External Entity (XXE) attacks, which enables attackers to perform denial of service of the local system, gain unauthorized access to files on the local machine, scan remote machines, and perform denial of service of remote systems.
Example 1: The following XML document shows an example of an XXE attack.
This example could crash the server (on a UNIX system) if the XML parser attempts to substitute the entity with the contents of the /dev/random file.
Example 1: The following XML document shows an example of an XXE attack.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>
This example could crash the server (on a UNIX system) if the XML parser attempts to substitute the entity with the contents of the /dev/random file.
desc.dataflow.javascript.xxe_injection
Abstract
The identified method allows external entity references. This call could allow an attacker to inject an XML external entity into the XML document to reveal the contents of files or internal network resources.
Explanation
XML External Entity (XXE) injection occurs when:
1. Data enters a program from an untrusted source.
2. The data is written to an <ENTITY> element of the DTD (Document Type Definition) in an XML document.
Applications typically use XML to store data or send messages. When used to store data, XML documents are often treated like databases and can potentially contain sensitive information. XML messages are often used in web services and can also be used to transmit sensitive information. XML messages can even be used to send authentication credentials.
The semantics of XML documents and messages can be altered if an attacker has the ability to write raw XML. In the most benign case, an attacker may be able to insert nested entity references and cause an XML parser consume ever increasing amounts of CPU resources. In more nefarious cases of XML external entity injection, an attacker may be able to add XML elements that expose the contents of local file system resources or reveal the existence of internal network resources.
Example 1:Here is some code that is vulnerable to XXE attacks:
Assume an attacker is able to control
When the XML is evaluated by the server, the <foo> element will contain the contents of the
1. Data enters a program from an untrusted source.
2. The data is written to an <ENTITY> element of the DTD (Document Type Definition) in an XML document.
Applications typically use XML to store data or send messages. When used to store data, XML documents are often treated like databases and can potentially contain sensitive information. XML messages are often used in web services and can also be used to transmit sensitive information. XML messages can even be used to send authentication credentials.
The semantics of XML documents and messages can be altered if an attacker has the ability to write raw XML. In the most benign case, an attacker may be able to insert nested entity references and cause an XML parser consume ever increasing amounts of CPU resources. In more nefarious cases of XML external entity injection, an attacker may be able to add XML elements that expose the contents of local file system resources or reveal the existence of internal network resources.
Example 1:Here is some code that is vulnerable to XXE attacks:
- (void) parseSomeXML: (NSString *) rawXml {
BOOL success;
NSData *rawXmlConvToData = [rawXml dataUsingEncoding:NSUTF8StringEncoding];
NSXMLParser *myParser = [[NSXMLParser alloc] initWithData:rawXmlConvToData];
[myParser setShouldResolveExternalEntities:YES];
[myParser setDelegate:self];
}
Assume an attacker is able to control
rawXml such that the XML looks like the following:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
When the XML is evaluated by the server, the <foo> element will contain the contents of the
boot.ini file.desc.semantic.objc.xml_external_entity_injection
Abstract
Processing an unvalidated XML document can allow an attacker to change the structure and contents of the XML, port scan the host server or host scan the internal network, include arbitrary files from the file system, or cause a denial of service of the application.
Explanation
XML External Entity (XXE) injection occurs when:
1. Data enters a program from an untrusted source.
2. The data is written to an XML document.
Applications typically use XML to store data or send messages. When used to store data, XML documents are often treated like databases and can potentially contain sensitive information. XML messages are often used in web services and can also be used to transmit sensitive information. XML messages can even be used to send authentication credentials.
The semantics of XML documents and messages can be altered if an attacker has the ability to write raw XML. In the most benign case, an attacker may be able to insert nested entity references and cause an XML parser to consume ever increasing amounts of CPU resources. In more nefarious cases of XML external entity injection, an attacker may be able to add XML elements that expose the contents of local file system resources, reveal the existence of internal network resources or expose backend content itself.
Example 1: Here is some code that is vulnerable to XXE attacks:
Assume an attacker is able to control the input XML to the following code:
Now suppose that the following XML is passed by the attacker to the code in
When the XML is processed, the content of the <foo> element is populated with the contents of the system's
1. Data enters a program from an untrusted source.
2. The data is written to an XML document.
Applications typically use XML to store data or send messages. When used to store data, XML documents are often treated like databases and can potentially contain sensitive information. XML messages are often used in web services and can also be used to transmit sensitive information. XML messages can even be used to send authentication credentials.
The semantics of XML documents and messages can be altered if an attacker has the ability to write raw XML. In the most benign case, an attacker may be able to insert nested entity references and cause an XML parser to consume ever increasing amounts of CPU resources. In more nefarious cases of XML external entity injection, an attacker may be able to add XML elements that expose the contents of local file system resources, reveal the existence of internal network resources or expose backend content itself.
Example 1: Here is some code that is vulnerable to XXE attacks:
Assume an attacker is able to control the input XML to the following code:
...
<?php
$goodXML = $_GET["key"];
$doc = simplexml_load_string($goodXml);
echo $doc->testing;
?>
...
Now suppose that the following XML is passed by the attacker to the code in
Example 2:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
When the XML is processed, the content of the <foo> element is populated with the contents of the system's
boot.ini file. The attacker may utilize XML elements which are returned to the client to exfiltrate data or obtain information as to the existence of network resources.desc.dataflow.php.xml_external_entity_injection
Abstract
Using XML processors that do not prevent or limit external entities resolution can expose the application to XML External Entities attacks.
Explanation
XML External Entities attacks benefit from an XML feature to dynamically build documents at runtime. An XML entity allows inclusion of data dynamically from a given resource. External entities allow an XML document to include data from an external URI. Unless configured to do otherwise, external entities force the XML parser to access the resource specified by the URI, such as a file on the local machine or on a remote system. This behavior exposes the application to XML External Entity (XXE) attacks, which attackers can use to perform denial of service of the local system, gain unauthorized access to files on the local machine, scan remote machines, and perform denial of service of remote systems.
Example 1: The following XML document shows an example of an XXE attack.
This example could crash the server (on a UNIX system), if the XML parser attempts to substitute the entity with the contents of the /dev/random file.
Example 1: The following XML document shows an example of an XXE attack.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>
This example could crash the server (on a UNIX system), if the XML parser attempts to substitute the entity with the contents of the /dev/random file.
References
desc.dataflow.python.xxe_injection
Abstract
Using XML parsers that are not configured to prevent or limit external entities resolution can expose the parser to an XML External Entities attack
Explanation
XML External Entities attacks benefit from an XML feature to build documents dynamically at the time of processing. An XML entity allows inclusion of data dynamically from a given resource. External entities allow an XML document to include data from an external URI. Unless configured to do otherwise, external entities force the XML parser to access the resource specified by the URI, e.g., a file on the local machine or on a remote system. This behavior exposes the application to XML External Entity (XXE) attacks, which can be used to perform denial of service of the local system, gain unauthorized access to files on the local machine, scan remote machines, and perform denial of service of remote systems.
The following XML document shows an example of an XXE attack.
The example XML document will read the contents of
Example 1: The following code uses an insecure XML parser to process untrusted input from an HTTP request.
The following XML document shows an example of an XXE attack.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
The example XML document will read the contents of
/etc/passwd and include them into the document. Example 1: The following code uses an insecure XML parser to process untrusted input from an HTTP request.
def readFile() = Action { request =>
val xml = request.cookies.get("doc")
val doc = XMLLoader.loadString(xml)
...
}
References
[1] XML External Entity (XXE) Processing OWASP
[2] Testing for XML Injection OWASP
[3] XML External Entities The Web Application Security Consortium
[4] IDS17-J. Prevent XML External Entity Attacks CERT
[5] DOS-1: Beware of activities that may use disproportionate resources Oracle
[6] INJECT-5: Restrict XML inclusion Oracle
desc.dataflow.scala.xml_external_entity_injection
Abstract
The identified method allows external entity references. This call could allow an attacker to inject an XML external entity into the XML document to reveal the contents of files or internal network resources.
Explanation
XML External Entity (XXE) injection occurs when:
1. Data enters a program from an untrusted source.
2. The data is written to an <ENTITY> element of the DTD (Document Type Definition) in an XML document.
Applications typically use XML to store data or send messages. When used to store data, XML documents are often treated like databases and can potentially contain sensitive information. XML messages are often used in web services and can also be used to transmit sensitive information. XML messages can even be used to send authentication credentials.
The semantics of XML documents and messages can be altered if an attacker has the ability to write raw XML. In the most benign case, an attacker may be able to insert nested entity references and cause an XML parser consume ever increasing amounts of CPU resources. In more nefarious cases of XML external entity injection, an attacker may be able to add XML elements that expose the contents of local file system resources or reveal the existence of internal network resources.
Example 1:Here is some code that is vulnerable to XXE attacks:
Assume an attacker is able to control
When the XML is evaluated by the server, the <foo> element will contain the contents of the
1. Data enters a program from an untrusted source.
2. The data is written to an <ENTITY> element of the DTD (Document Type Definition) in an XML document.
Applications typically use XML to store data or send messages. When used to store data, XML documents are often treated like databases and can potentially contain sensitive information. XML messages are often used in web services and can also be used to transmit sensitive information. XML messages can even be used to send authentication credentials.
The semantics of XML documents and messages can be altered if an attacker has the ability to write raw XML. In the most benign case, an attacker may be able to insert nested entity references and cause an XML parser consume ever increasing amounts of CPU resources. In more nefarious cases of XML external entity injection, an attacker may be able to add XML elements that expose the contents of local file system resources or reveal the existence of internal network resources.
Example 1:Here is some code that is vulnerable to XXE attacks:
func parseXML(xml: String) {
parser = NSXMLParser(data: rawXml.dataUsingEncoding(NSUTF8StringEncoding)!)
parser.delegate = self
parser.shouldResolveExternalEntities = true
parser.parse()
}
Assume an attacker is able to control
rawXml contents such that the XML looks like the following:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
When the XML is evaluated by the server, the <foo> element will contain the contents of the
boot.ini file.References
desc.structural.swift.xml_external_entity_injection