In the new 2017 edition of the OWASP Top 10, XML External Entities (XXE) make their first appearance at #A4 on the list. Qualys is pleased to announce that Qualys Web Application Scanning (WAS) engine 4.4 includes new detection capabilities for XXE vulnerabilities.
About XML External Entities (XXE)
If you’re unfamiliar with XXE, here is a quick overview.
XML is a popular data representation and serialization standard and is widely used by web applications. XML entity is a conveyance mechanism provided by the XML standard to represent special characters, to provide a shortcut to refer to a text snippet within an XML document, and to organize XML data into separate, modular files. With XML entities, an XML document can include text from local or external resources similar to the “#include” macro in the C and C++ programming languages. Support for external entities is especially useful to organize XML into modular files. This is indeed a useful feature in XML and safe to use when the XML data being processed is completely trusted. However, this otherwise useful feature opens the door to serious security issues when applications process user-controlled XML data and don’t take necessary precautions.
An attacker can leverage XXE vulnerabilities to perform various types of attacks on web applications, such as:
- Sensitive data disclosure. If the HTTP response contains the result of the parsed XML, then XXE can be used to gain access to private data from the server. An attacker can send XML containing an entity that references a local file on the server and the content of the file will be returned in the HTTP response.
- Server Side Request Forgery (SSRF). An XXE vulnerability could allow an attacker to send a request causing the web server to access a specific internal API endpoint which is otherwise not publicly accessible. This leads to SSRF attack.
- Denial of Service. An attacker could exploit an XXE vulnerability causing the XML parser to access or process huge or complex streams of data injected via XML entity (e.g. file:///dev/random), leading to high system resource consumption on the server.
- Internal port scanning. An attacker could use XXE to systematically point to different IP addresses and ports on the server’s internal network and measure response times to profile the network and even determine which internal ports are open.
- Server file system profiling. An attacker can test the server’s file system for existence and access permissions of various files on the server by sending XXE probes that refer to different files. Observing the response and their behaviors can be used for additional attacks.
Detecting XXE with Qualys WAS
Here is some information about the new QIDs for XXE now available in Qualys Web Application Scanning (WAS).
QID 150179 has been introduced for blind XXE injection vulnerabilities. With this type of vulnerability, a web application processes external entities in user-controlled data but the HTTP response does not contain the content of the processed XML or any parsing errors. This typically happens when the application is processing XML and consuming the result internally or is suppressing all internal errors. This is referred to as “blind” XXE and can be detected by sending XML with an entity referring to a remote resource. When such XML is processed by a vulnerable application, it attempts to fetch the remote resource, which takes time, so the server’s response takes longer from an attacker’s point of view. The attacker can thus profile HTTP response times for various entities and conclude if the server is vulnerable to XXE injection.
QID 150180 has been introduced for XXE file disclosure. This vulnerability occurs when a web application processes external entities embedded in user-controlled XML data and adds the content of the processed XML to the HTTP response. In this case an attacker sends a specially-crafted external entity referring to a local file on the server. The XML parser resolves the entity and the application includes the content of the local file in the response.
For example, an attacker may send the following XML in the HTTP request:
<?xml version="1.0"?> <!DOCTYPE attackerDTD [<!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <A>&xxe;</A>
The HTTP response from a vulnerable web application will include the contents of the “/etc/passwd” file on the server. This is obviously quite dangerous and could lead to harmful outcomes.
QID 150181 has been introduced for XXE file inclusion errors. This vulnerability is considered less severe than QID 150180 because the contents of the file are not returned. Instead the XML parser throws an error when it’s not able to access the resource referred to by the entity. Nevertheless, the error message indicates that the attacker-supplied external entity is processed by the application. This behavior could be leveraged by the attacker to determine the existence of various files on the server as well as their access permissions.
What Does This Mean for You?
XXE vulnerabilities in web applications are not new. But now that XXE has been added to the OWASP Top 10, it is sure to garner more attention, and applications will be under increased scrutiny. Be sure to scan using these new QIDs in Qualys WAS to help determine if your applications are vulnerable.
Likewise, development teams at your organization need to be aware and have renewed focus on preventing XXE and remediating existing code. One of the best resources for developers in this arena is the OWASP XXE Prevention Cheat Sheet.