What is XML External Entity Injection

Summary

The XML processor used in FGAdminController.java:58 does not prevent nor limit external entities resolution. This can expose the parser to an XML External Entities attackUsing XML processors that do not prevent nor limit external entities resolution can expose the application to XML External Entities attacks.

Explanation

XML External Entities attacks benefit from an XML feature to build documents dynamically at the time of processing. An XML entity allows inclusion of data dynamically from a given resource. External entities allow an XML document to include data from an external URI. Unless configured to do otherwise, external entities force the XML parser to access the resource specified by the URI, e.g., a file on the local machine or on a remote system. This behavior exposes the application to XML External Entity (XXE) attacks, which can be used to perform denial of service of the local system, gain unauthorized access to files on the local machine, scan remote machines, and perform denial of service of remote systems.

The following XML document shows an example of an XXE attack.

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>

This example could crash the server (on a UNIX system), if the XML parser attempts to substitute the entity with the contents of the /dev/random file.

Recommendation

To avoid XXE injections, the XML unmarshaller or REST framework should be configured securely so that it does not allow external entities as part of an incoming XML document.

For JAX-RS Jersey implementation add the following configuration to your web.xml file (Note: Jersey implementation is secure by default):

<web-app>
...
<init-param>
<param-name>com.sun.jersey.config.feature.DisableXmlSecurity</param-name>
<param-value>false</param-value>
</init-param>
...
</web-app>

For JAX-RS RESTEasy implementation add the following configuration to your web.xml file (Note: RESTEasy implementation is insecure by default):

<web-app>
...
<context-param>
<param-name>resteasy.document.expand.entity.references</param-name>
<param-value>false</param-value>
</context-param>
...
</web-app>

Tips

JAX-RS Jersey Implementation is configured securely by default so there is no need to configure it explicitly. If this is the case, please disregard this issue.

What is XML External Entity Injection

MRunal

Jun 21, 2019·2 min read

Summary

Explanation

Recommendation

Tips

MRunal

Blogger | Security Researcher | Digital forensic analyst | Twitter — @mrunal110

More from MRunal

Blogger | Security Researcher | Digital forensic analyst | Twitter — @mrunal110

More From Medium

What is XSS

Some Amazingly Awesome Open Source Editors You Can Use as a Developer

Visualizing Networks in Python

How Salesforce Helps Protect You From Session Hijacking Threats

How to Bypass Selenium Drag & Drop Bug in Python

Create an Array of Alphabet characters in JavaScript with this simple trick

9 Ways to Incentivize Bug-Fix Teams

what is Parameter Tampering

About
Help
Legal

About

Help

Legal

Get the Medium app