• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!


XML External Entities

Page history last edited by Robert Auger 14 years, 4 months ago

Project: WASC Threat Classification

Threat Type: Attack

Reference ID: WASC-43


XML External Entities (XXE) Attack

This technique takes advantage of a feature of XML to build documents dynamically at the time of processing. An XML message can either provide data explicitly or by pointing to an URI where the data exists. In the attack technique, external entities may replace the entity value with malicious data, alternate referrals or may compromise the security of the data the server/XML application has access to.

In the example below, the attacker takes advantage of an XML Parser's local server access privileges to compromise local data:


<!DOCTYPE root 
<!ENTITY foo SYSTEM "file:///c:/winnt/win.ini">

How it works:

1. The application expects XML input with a parameter called "in". This parameter is later embedded in the application's output.

2. The application typically invokes an XML parser to parse the XML input (if the application is a web service that uses a framework such as .NET, then this happens automatically courtesy of the underlying web services framework).

3. The XML parser expands the entity "foo" into its full text, from the entity definition provided in the URL. Here the actual attack takes place.

4. The Application embeds the input (parameter "in", which contains the win.ini file) to the web service response.

5. The web service echoes back the data.

Attackers may also use External Entities to have the web services server download malicious code or content to the server for use in secondary or follow on attacks.



XXE (Xml eXternal Entity) Attack

[1] http://www.securiteam.com/securitynews/6D0100A5PU.html


Adobe Reader XML External Entity Attack

[2] http://shh.thathost.com/secadv/adobexxe/


Threat Protection in a Service Oriented World, Andre Yee CEO NFR Security

[3] http://www.unatekconference.com/images/pdfs/presentations/Yee.pdf


Attacking and Defending Web Services, By Pete Lindstrom Research Director Spire Security, LLC

[4] http://www.forumsys.com/resources/resources/whitepapers/Attacking_and_Defending_WS.pdf


The SOA/XML Threat Model and New XML/SOA/Web 2.0 Attacks & Threats (Defcon 15), Steve Orrin, Dir of Security Solutions, SSG-SPI Intel Corp.

[5] http://www.safesoa.org/data/dc-15-Orrin-v2.pdf


Comments (0)

You don't have permission to comment on this page.