Project: WASC Threat Classification
Threat Type: Attack
Reference ID: WASC-43
XML External Entities (XXE) Attack
This technique takes advantage of a feature of XML to build documents dynamically at the time of processing. An XML message can either provide data explicitly or by pointing to an URI where the data exists. In the attack technique, external entities may replace the entity value with malicious data, alternate referrals or may compromise the security of the data the server/XML application has access to.
In the example below, the attacker takes advantage of an XML Parser's local server access privileges to compromise local data:
...
<!DOCTYPE root
[
<!ENTITY foo SYSTEM "file:///c:/winnt/win.ini">
]>
...
<in>&foo;</in>
How it works:
1. The application expects XML input with a parameter called "in". This parameter is later embedded in the application's output.
2. The application typically invokes an XML parser to parse the XML input (if the application is a web service that uses a framework such as .NET, then this happens automatically courtesy of the underlying web services framework).
3. The XML parser expands the entity "foo" into its full text, from the entity definition provided in the URL. Here the actual attack takes place.
4. The Application embeds the input (parameter "in", which contains the win.ini file) to the web service response.
5. The web service echoes back the data.
Attackers may also use External Entities to have the web services server download malicious code or content to the server for use in secondary or follow on attacks.
References
XXE (Xml eXternal Entity) Attack
[1] http://www.securiteam.com/securitynews/6D0100A5PU.html
Adobe Reader XML External Entity Attack
[2] http://shh.thathost.com/secadv/adobexxe/
Threat Protection in a Service Oriented World, Andre Yee CEO NFR Security
[3] http://www.unatekconference.com/images/pdfs/presentations/Yee.pdf
Attacking and Defending Web Services, By Pete Lindstrom Research Director Spire Security, LLC
[4] http://www.forumsys.com/resources/resources/whitepapers/Attacking_and_Defending_WS.pdf
The SOA/XML Threat Model and New XML/SOA/Web 2.0 Attacks & Threats (Defcon 15), Steve Orrin, Dir of Security Solutions, SSG-SPI Intel Corp.
[5] http://www.safesoa.org/data/dc-15-Orrin-v2.pdf
Comments (0)
You don't have permission to comment on this page.