XXE (XML External Entity Injection) is a common web-based security vulnerability that enables an attacker to interfere with the processing of XML data within a web application.
While XML is an extremely popular format used by developers to transfer data between the web browser and the server, this results in XXE being a common security flaw.
XML requires a parser, which is typically where vulnerabilities occur. XXE enables an entity to be defined based on the content of a file path or URL. When the XML attack payload is read by the server, the external entity is parsed, merged into the final document, and returns it to the user with the sensitive data inside.
How Does XXE Harm Your Applications
By exploiting a vulnerability in your XML, an attacker is able to view files on the application server file system and interact with a backend or external system that the application itself has access to.
This alone can have serious consequences, however, this can be further compounded, with XXE attacks being leveraged by an attacker to perform server-side request forgery (SSRF) attacks to compromise the underlying server.
It is therefore important to implement XXE prevention strategies.
How to Prevent XXE Vulnerability
Although a common vulnerability, preventing XXE attacks can be easily achieved with good coding practices and some language-specific advice.
XXE Vulnerability in Java
Java inherently makes a programmer’s task of defending against XXE less definitive, due to the reliance on parsers. Java XML parsers are often vulnerable to XXE attacks, resulting in less control in securing your applications.
Thankfully, creators of these parsers are wise to this issue, actively ensuring that they are updated accordingly to be more secure, but you are still reliant on these third parties. Some of the most common XML parsers for Java include:
- Dom Parser
- SAX Parser
- JDOM Parser
- DOM4J Parser
- StAX Parser
When relying on third-party parsers, you should disable DOCTYPES, which will automatically protect you from XXE attacks.
XXE Vulnerability in PHP
PHP holds the title of perhaps the most popular back-end web application language, and as such, is a primary target for attackers, including XXE attacks. With attackers routinely finding new vulnerabilities, it is imperative to keep your PHP version up to date to secure your applications.
In relation to XXE prevention, there are things that you can do in order to ensure you’re a victim. Since PHP version 8.0.0, it is highly recommended that you use
libxml_disable_entity_loader. Further information on fully understanding and implementing this functionality in your code can be found here.
XXE Vulnerability in Python
Python’s popularity is growing each day with both new programmers and seasoned veterans. However, with rapid growth and expansion comes risk.
The first step in securing your Python applications is ensuring that the XML parsers you are using are safe. Some, such as Etree, Minidom, Xmlrpc, and Genshi are built with security in mind, resistant to XXE vulnerabilities. However, other popular modules such as Pulldom and Lxlm aren’t inherently safe, and precaution is advised.
Real-Life Examples of XXE Vulnerability
Some of the most popular Android development tools include Android Studio, Eclipse, and APKTool. They all parsed XML in a way that allowed attackers to gain access through external entities, creating a huge exploit in these apps. Obviously, this was patched in later versions, but it serves as a good reminder that one can never be complacent when it comes to security in development, even when relying on industry-leading third-party tools. Supply chain risk is a real threat.
Additionally, XXE vulnerabilities occurred in WordPress as well. This is especially alarming given approximately 40% of all websites use this CMS provider.
How to Protect Your Application
Protecting your application as a web developer isn’t a luxury – it’s a prerequisite to a successful project. Developers are now the first line of defense, responsible for the code they write to ensure they are secure by design.
NeuraLegion’s security scanner Nexploit is built for developers to test their applications and APIs for many common vulnerabilities, including XXE. With NO false positives and out-of-the-box scan configurations and optimizations, security testing can now be carried out early and often, on every build as part of your pipeline. Sign up for a FREE developer account.