Owasp Top 10:A4: XML External Entity (Impact & Mitigation)
By Prempal Singh
Introduction
An XML External Entity attack is a type of attack against an application that parses XML input. Many older or terribly configured XML processors evaluate external entity references within XML documents. External entities may be used to disclose internal files with the help of file URI handler, internal file shares, remote code execution, internal port scanning, and denial of service attacks. The XML standard defines the structure of an XML document. The standard defines a concept termed as an entity, which is a storage unit of some type. There are various types of entities, external parameter/general parsed entity often shortened to an external entity, that can retrieve local or remote content via a declared system identifier.
Business Impact
The impact of the XEE depends on whether there are useful files findable by the attacker and also the permissions of the user running the web application. The kind of thing that could prove particularly problematic is configuration files in predictable locations that contain usernames/passwords which allow the person whose intention is to attack to get additional access.
Technical Impact
The impact of exploiting this vulnerability can be very dangerous, as it allows an attacker to read sensitive files present on the server, scan internal systems perform a denial of service attack on the server as well as execute other attacks.
Mitigation Of XML External Entity
- Patch or update all XML processors and libraries in use by the application or on the underlying operating system.
- Disable XML external entity & DTD processing in all XML parsers in the application.
- Apply positive (“whitelisting”) server-side input validation, filtering, or sanitization to prevent hostile data within XML documents, headers, or nodes.