XXE known ad XML eXternal Entities is an application security weakness by compromised data processed by an insecurely configured XML parser.
XML files may contain the document type definition known as DTD, which describes the structure of an XML file. DTD allows us to define and use XML entities.
Let’s see one example:
1 2 3 4 5 6 7 | <?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE order [ <!ENTITY lol SYSTEM "file:///D:/texts.txt"> ]> <order> <itemID>&lol;</itemID> </order> |
If an XML parser reader processes external entities, this is a security flaw.
The lol external entity is declared in this file.
When an XML parser process this file, it substitutes &lol; with the contents of the file along path D:/texts.txt and the application will display the following:
1 | "This is an XXE attack target." is not valid 'itemID' value. |
The application will be vulnerable to XXE attacks, if:
– a developer configured an XML parser in such a way that it insecurely processes external entities;
– an attacker can directly/indirectly pass compromised data to the parser.
A parser wrote in C# with a dangerous configuration may look like this:
1 2 3 4 5 6 7 8 9 | var settings = new XmlReaderSettings() { DtdProcessing = DtdProcessing.Parse, XmlResolver = new XmlUrlResolver(), MaxCharactersFromEntities = 0 }; using (var xmlReader = XmlReader.Create(xmlFileStringReader, settings)) .... |
… because explicitly allowed DTD processing, set a resolver for external entities, and removed the limitations on their size.
A good start to learn about the XXE attacks is this Wikipedia page.
You can read more on this website.
For development area you need to read more about OWASP Top 10 and XXE.