Security – XXE external entity attack.

XXE known ad XML eXternal Entities is an application security weakness by compromised data processed by an insecurely configured XML parser.
XML files may contain the document type definition known as DTD, which describes the structure of an XML file. DTD allows us to define and use XML entities.
Let’s see one example:

If an XML parser reader processes external entities, this is a security flaw.
The lol external entity is declared in this file.
When an XML parser process this file, it substitutes &lol; with the contents of the file along path D:/texts.txt and the application will display the following:

The application will be vulnerable to XXE attacks, if:
– a developer configured an XML parser in such a way that it insecurely processes external entities;
– an attacker can directly/indirectly pass compromised data to the parser.
A parser wrote in C# with a dangerous configuration may look like this:

… because explicitly allowed DTD processing, set a resolver for external entities, and removed the limitations on their size.
A good start to learn about the XXE attacks is this Wikipedia page.
You can read more on this website.
For development area you need to read more about OWASP Top 10 and XXE.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.