How To Prevent XML External Entity (XXE) Attacks

What are XXE Attacks?

An XML external entity (XXE) attack is a vulnerability that abuses features of XML parsers and data formats. It often allows an attacker to interact with unauthorized files and services on the server hosting an application.

XXE attacks take advantage of vulnerabilities in XML parsers. When poorly configured, these parsers can be tricked into loading and exposing sensitive files and data. Attackers can use XXE attacks to perform actions like:

• Stealing data
• Performing denial of service attacks
• Port scanning internal systems
• Executing remote code

The most common XXE attacks exploit XML parsers that support external entities. External entities allow embedding data from external sources, like files or websites, into XML documents.

How XXE Attacks Work

Here’s an overview of how a basic XXE attack works:

1. A vulnerable XML parser processes untrusted input. An application accepts XML input from an untrusted source. This input is passed to a vulnerable XML parser.

2. Malicious input contains an external entity declaration. The attacker sends specially crafted XML that declares an external entity – this is a reference to a resource located outside the XML document. This external entity could point to a file on the server or a remote system.

3. The XML parser loads the external entity. Instead of rejecting the external entity, the vulnerable XML parser loads it. This exposes the targeted file or system to the attacker.

4. Sensitive information is exposed. The attacker reads data from the external files/systems that were loaded. Depending on the external entity, an attacker may also be able to execute commands on remote systems.

Preventing XXE Attacks

Here are some key best practices for preventing XXE attacks:

Validate and sanitize untrusted input

Scrutinize all XML input from untrusted sources before processing it. Use input validation to reject any documents with malicious external entities. Sanitize all user-controllable input to prevent embedded exploits.

Disable XML external entity processing

The best way to stop XXE attacks is to completely disable the parsing of external entities. Newer XML parser libraries like lxml and defusedxml have options to prohibit external entities.

Limit XML parser privileges

Run XML parsers under the lowest privileges possible. Use restricted accounts with limited file system access and reduced network visibility.

Keep XML parsers up to date

Use the latest versions of all XML processing libraries. Monitor security updates and patches to ensure vulnerabilities are addressed as soon as possible.

Use virtual patching

For legacy systems, you can use web application firewalls (WAFs) to patch vulnerabilities and provide an additional layer of security. WAF rules can be configured to detect malicious XXE payloads.

Perform extensive security testing

Continuously test your applications to uncover XXE vulnerabilities before attackers can find them. Penetration testing and vulnerability assessments should include XXE attack vectors.

Real Life XXE Vulnerabilities

Some notable examples of damaging XXE attacks against real-world applications include:

• Dropbox – In 2016, Dropbox inadvertently enabled XXE on a document preview generation feature. Attackers could use this to read arbitrary local files from the Dropbox servers.

• PayPal – In 2018, researchers found that PayPal’s online discussion forums were vulnerable to XXE attacks, exposing internal files and server details.

• Microsoft Office – XXE bugs in older versions of Microsoft Office allowed attackers to exfiltrate sensitive files via crafted Office documents.

• IBM DataPower – IBM fixed an XXE issue in 2018 affecting IBM DataPower Gateways. Attackers could obtain passwords, keys, and credentials.

These incidents prove that XXE vulnerabilities exist on major networks. Organizations must follow secure development practices to prevent XXE bugs from making it into production.

Summary

XXE attacks abuse weaknesses in XML parser configurations. An attacker can trick vulnerable XML parsers into loading external entities, exposing files, data, and systems. The best way to prevent XXE attacks is to validate and sanitize all XML input, disable external entities, and follow secure coding practices. Defending against XXE requires constant vigilance – organizations should continuously scan for these dangerous flaws using penetration tests and vulnerability assessments.