A DoS attack has caused your website to go offline for a few minutes. Upon investigation, the reason for this downtime is found to be a large number of LOLs draining 3GB of your resources. Your website has been targeted by attackers using the XXE Vulnerability to orchestrate the infamous Billion Laughs attack. XXE vulnerability has been around since the early 2000s and despite its medium prevalence, it was included in the OWASP Top 10 at #4 in 2017 owing to the popularity of its underlying vector — XML and the high risk attached to most XML parsers. The identification and mitigation of these vulnerabilities are critical to strengthening web app security.
In this article, XXE Vulnerabilities, how they work, their types, and their identification and mitigation will be discussed in depth.
XXE Vulnerability: An Introduction
Attackers are enabled by the XML External Entity/ XXE Vulnerability to interfere with the application’s processing of XML data and thereby, gain access to the server filesystem and any backend/external systems that the application can access.
This vulnerability can be leveraged by attackers to:
- Perform Server-Side Request Forgery (SSRF) and compromise the underlying server/ other backend infrastructure.
- Orchestrate Denial of Service (DoS) and cause downtime/ application crashes.
- Engage in data corruption/ theft, malicious code execution, network attacks, and so on.
How Do XML External Entity Injection Attacks Work?
XML is a popular markup language used extensively by websites and web applications for over 2 decades now. In the Service Oriented Architecture, XML is a data structure where strings, names of fields, and their values are stored and links to other files and resources are contained.
- One of the main advantages of using XML is that it is extensible and the storage of all kinds of data is accepted. But its risks and vulnerabilities are exacerbated by this very advantage.
- New entities and loosely defined in DOCTYPE declaration with a wide variety of values are accepted by XML.
- These entities need not be defined in the document itself; these can be loaded from external sources (local files, URI, etc.).
- The loosely defined external entities are often aimed at accessing remote/ local data via declared system identifiers.
So, how is an XXE attack orchestrated?
- XXE vulnerability occurs when the potentially unsafe features are contained in XML specification and supported by the XML parsers.
- Applications with these vulnerabilities are identified by attackers who send XML requests containing malicious payload within the Document Type Declaration (DTD).
- The malicious external entities within the DTD are retrieved, validated, and resolved by the weak XML parser.
- The attacker is, thus, enabled to gain access to confidential data/ resources and fulfill their motives.
How to Identify XML External Entity Vulnerabilities?
Most XXE vulnerabilities can be effectively identified using an intelligent and comprehensive web application scanner. Most of these vulnerabilities are reliably, quickly, and accurately AppTrana’s web application scanner, which is equipped with AI-ML and Global Threat Intelligence.
Manual testing by certified security experts is essential as some of these vulnerabilities may not be found through automated scanning. The following are manually tested for the following types of XXE:
- File retrieval: External entity, defined based on a well-known OS file, is used in the data obtained from the application’s response.
- Blind XXE vulnerabilities: External entity is defined based on a URL to a system controlled by the tester/ developer and the interaction is monitored thereon.
- XInclude attacks: Well-known OS file is attempted to be retrieved by testers leveraging XInclude attacks. Here, it is tested if user-supplied non-XML data is used within a server-side XML by the application.
How to Mitigate XXE Vulnerabilities?
- In most cases, XXE attacks can easily be prevented by disabling features making the XML processor weak and the application vulnerable. By analyzing the XML parsing library of the application, features that can be misused can be identified and disabled.
- DTD and XML external entity features must be disabled.
- All XML processors and libraries used in the application must be patched and updated always.
- Ensure that the user inputs are validated before being parsed.
- File uploads, server-side user inputs, and URLs must be sanitized, validated, and whitelisted.
- Web application security must be strengthened by onboarding a comprehensive, managed, and intelligent security solution like AppTrana.
Conclusion
The impact of the successful exploitation of XXE Vulnerabilities by attackers is massive. Not only will the application availability be affected, but a major gateway will be opened up for other forms of cyber-attacks and data exfiltration. Protecting applications from XML External Entity Vulnerabilities is indispensable for fortifying web application security.
For more cybersecurity features and news, follow Indusface on Twitter and Facebook.
Originally published at https://www.indusface.com on June 5, 2020.
