{"id":10113,"date":"2019-01-08T11:30:40","date_gmt":"2019-01-08T11:30:40","guid":{"rendered":"http:\/\/www.esds.co.in\/blog\/?p=10113"},"modified":"2020-01-07T06:36:02","modified_gmt":"2020-01-07T06:36:02","slug":"know-how-to-prevent-your-application-from-an-xxe-xml-external-entity-attack","status":"publish","type":"post","link":"https:\/\/www.esds.co.in\/blog\/know-how-to-prevent-your-application-from-an-xxe-xml-external-entity-attack\/","title":{"rendered":"Know How to Prevent Your Application from an XXE (XML External Entity) Attack"},"content":{"rendered":"\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_is_an_XXE_XML_External_Entity_attack\"><\/span><strong>What is an XXE (XML External Entity) attack?<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p style=\"text-align: justify;\">Any application that parses XML input can become prey for an XXE (XML External Entity) attack. An XML parser of a weak configuration is more vulnerable to such attack because it becomes open to threats when it processes the XML input having a reference to an external entity. An XXE attack can leak some confidential data, DOS (denial of service), port scanning of the machine having a parser, and forgery in server side request, having severe impacts. An XML document has a standard, and its version 1.0 defines the term \u2018entity\u2019 that refers to a storage unit of a particular type<\/p><div id=\"ez-toc-container\" class=\"ez-toc-v2_0_76 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.esds.co.in\/blog\/know-how-to-prevent-your-application-from-an-xxe-xml-external-entity-attack\/#What_is_an_XXE_XML_External_Entity_attack\" >What is an XXE (XML External Entity) attack?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.esds.co.in\/blog\/know-how-to-prevent-your-application-from-an-xxe-xml-external-entity-attack\/#How_to_recognise_XXE_vulnerabilities\" >How to recognise XXE vulnerabilities?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.esds.co.in\/blog\/know-how-to-prevent-your-application-from-an-xxe-xml-external-entity-attack\/#Few_Techniques_to_Prevent_the_XXE_Attacks\" >Few Techniques to Prevent the XXE Attacks<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.esds.co.in\/blog\/know-how-to-prevent-your-application-from-an-xxe-xml-external-entity-attack\/#Let_us_have_a_look_at_the_techniques_which_you_can_use_to_prevent_the_XXE_attack\" >Let us have a look at the techniques which you can use to prevent the XXE attack<\/a><\/li><\/ul><\/nav><\/div>\n\n\n\n\n<p style=\"text-align: justify;\">The entities are of different types like the parameter parsed, or external general entity (abbreviation \u2013 \u2018external entity\u2019) can dereference (access) remote and local content through a system identifier. An XML processor accesses the URL\/URI to while processing the external entity. Later on, the XML processor substitutes the named external entities at all occurrences by the content accessed by the system identifier. If the data in the system identifier has some infections, then the XML processor can reveal any confidential information after dereferencing this infected data. Usually, this sensitive information is not accessible by the application, but due to the attack, it gets vulnerable. Similar external resource insertion attacks are possible where the use of external stylesheets, schemas, DTDs (Document Type Definition), etc. is made<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"536\" src=\"https:\/\/www.esds.co.in\/blog\/wp-content\/uploads\/2019\/05\/XXE-banner-1024x536-1-1024x536.jpg\" alt=\"\" class=\"wp-image-10119\" srcset=\"https:\/\/www.esds.co.in\/blog\/wp-content\/uploads\/2019\/05\/XXE-banner-1024x536-1.jpg 1024w, https:\/\/www.esds.co.in\/blog\/wp-content\/uploads\/2019\/05\/XXE-banner-1024x536-1-150x79.jpg 150w, https:\/\/www.esds.co.in\/blog\/wp-content\/uploads\/2019\/05\/XXE-banner-1024x536-1-300x157.jpg 300w, https:\/\/www.esds.co.in\/blog\/wp-content\/uploads\/2019\/05\/XXE-banner-1024x536-1-660x345.jpg 660w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n\n<p style=\"text-align: justify;\">The attacks can comprise and reveal local files having sensitive data like a user\u2019s private data or passwords by utilising files like relative paths or schemes in the system identifier. A hacker can use the trusted application to hinge at other internal systems, probably showing other confidential content; by initiating a CSRF attack for any one of the insecure internal services or through HTTP(S) requests<\/p>\n\n\n\n<p style=\"text-align: justify;\">Some cases of attacks also include the situation where an XML processor library is getting susceptible to the corruption issues of the client-side memory. The libraries can get exploited because of accessing a malicious URL\/URI. This exploitation may lead to the execution of a random code under the account of that application<\/p>\n\n\n\n<p style=\"text-align: justify;\">Further, some other attacks can get access to the local resources, which may continuously return data causing a blockage at one period. It can impact the application resource availability as so many instances\/processes\/threads will get engaged and not releasing them will create a shortage; causing the application to hang. Although, any hacker can attack the application even if it doesn\u2019t return any response to him. The application is still vulnerable and can reveal secret information. Also, the hacker can leverage the information from DNS to withdraw any data and transfer it from subdomains to a DNS server which the attacker handles<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How_to_recognise_XXE_vulnerabilities\"><\/span><strong>How to recognise XXE vulnerabilities?<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p style=\"text-align: justify;\">The essential yet straightforward reply to this question is to find those endpoints\/codes which need XML input for their functioning. But, there are always exclusions. You may sometimes have a chance to see a few cases where just the endpoints accepting XML inputs are not the apparent entrances for hackers. You must also consider the examples of the situations where the client machine accesses the services using only JSON scripts. So for different cases, a quality analyst needs to validate the application\u2019s functionality by trying various inputs. The application\u2019s response and working can be checked by changing the HTTP techniques, content-type, parameters, etc. If the application parses any such infected inputs easily, then it is utterly vulnerable to the XXE attacks<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Few_Techniques_to_Prevent_the_XXE_Attacks\"><\/span><strong>Few Techniques to Prevent the XXE Attacks<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p style=\"text-align: justify;\">Now that we have known what an XXE attack is and how to identify it, we should also be aware of some techniques to prevent it. This XXE attack is dangerous and it has been there for quite some years, but it has gained attention now. It is listed in the&nbsp;OWASP&nbsp;top 10 list of application attacks which you should beware of<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Let_us_have_a_look_at_the_techniques_which_you_can_use_to_prevent_the_XXE_attack\"><\/span><strong>Let us have a look at the techniques which you can use to prevent the XXE attack<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ul><li><p style=\"text-align: justify;\">You should use a bit simple data formats like JSON. Using JSON\/PJSON is easier while creating a new service or an app. Changing\/replacing the codes in the previously made applications is a bit tedious job. Majorly, the Microservices and APIs are all turning towards JSON\/PJSON as an efficient alternative to XML<\/li><\/p> <li><p style=\"text-align: justify;\">Updating security patches of the libraries used by the application is very essential. You have to make sure that no code or script broke the application and hampered its functionality. Ensuring proper functioning of the application by executing regression testing is crucial<\/li><\/p> <li><p style=\"text-align: justify;\">You can disable the XML external entity and DTD transfer in all the XML parsers of that particular application. But, be cautious! You should first ensure that they aren\u2019t required anywhere else in your app<\/li><\/p> <li><p style=\"text-align: justify;\">The last solution in this list is to implement whitelisted filtering, server-side input validation, or sanitisation that can prevent any intimidating data inside the XML header, documents, or nodes<\/li><\/ul><\/p>\n\n\n\n<p><strong>To conclude<\/strong><\/p>\n\n\n\n<p style=\"text-align: justify;\">These were the details about the XXE attacks (XML External Entity attacks). Hope you learned about them and these tips come handy to you. If not, getting help from an <a href=\"https:\/\/esds.co.in\/security\/vtmscan\"><strong>Expert on Security<\/strong><\/a> is always recommended<\/p>\n","protected":false},"excerpt":{"rendered":"<p>What is an XXE (XML External Entity) attack? Any application that parses XML input can become prey for an XXE (XML External Entity) attack. An XML parser of a weak configuration is more vulnerable to such attack because it becomes open to threats when it processes the XML input having a reference to an external&#8230; <\/p>\n<div class=\"clear\"><\/div>\n<p><a href=\"https:\/\/www.esds.co.in\/blog\/know-how-to-prevent-your-application-from-an-xxe-xml-external-entity-attack\/\" class=\"gdlr-button small excerpt-read-more\">Read More<\/a><\/p>\n","protected":false},"author":81,"featured_media":10116,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[1271],"tags":[1914,1915,1916,1936,1910,1911,1921,1937,1938,1939,1926,1941,1940,1942],"class_list":["post-10113","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-2","tag-esds-vtmscan","tag-esds-vtmscan-detection-technique","tag-esds-vtmscan-virus-scanner","tag-esds-vtmscan-vulnerability","tag-features-of-esds-vtmscan","tag-freescan-owasp-audit","tag-malware-blacklist-esds-vtmscan","tag-owasp","tag-vtm","tag-vtm-scanner","tag-vtmscan-vulnerability-scanner","tag-xml-external-entity","tag-xxe","tag-xxe-attack"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.esds.co.in\/blog\/wp-json\/wp\/v2\/posts\/10113","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.esds.co.in\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.esds.co.in\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.esds.co.in\/blog\/wp-json\/wp\/v2\/users\/81"}],"replies":[{"embeddable":true,"href":"https:\/\/www.esds.co.in\/blog\/wp-json\/wp\/v2\/comments?post=10113"}],"version-history":[{"count":8,"href":"https:\/\/www.esds.co.in\/blog\/wp-json\/wp\/v2\/posts\/10113\/revisions"}],"predecessor-version":[{"id":11127,"href":"https:\/\/www.esds.co.in\/blog\/wp-json\/wp\/v2\/posts\/10113\/revisions\/11127"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.esds.co.in\/blog\/wp-json\/wp\/v2\/media\/10116"}],"wp:attachment":[{"href":"https:\/\/www.esds.co.in\/blog\/wp-json\/wp\/v2\/media?parent=10113"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.esds.co.in\/blog\/wp-json\/wp\/v2\/categories?post=10113"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.esds.co.in\/blog\/wp-json\/wp\/v2\/tags?post=10113"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}