OWASP Top 10 : XML External Entities (XXE) Vulnerability

The Open Web Application Security Project, or OWASP, is an international non-profit organization dedicated to Web Application Security. The OWASP Top 10 is a standard awareness document representing a broad consensus about the top 10 critical security risks to web applications. Learn more about OWASP Top 10 through this series of short blog posts.

OWASP Top 10 - XML External Entities (XXE) Vulnerability

What is a XXE?

XXE is a web security vulnerability that parses XML input from untrusted sources using a weakly configured XML parser. It allows an attacker to interfere with the applications processing of XML data. XXE injection exploits CWE-611 (improper restriction of external entity reference) and CWE-827 (improper control of document type definition).

This attack can cause retrieval of files, exfiltrate data out of band, retrieval of data via error messages, denial of service, server side request forgery, port scanning from the machine where the parser resides.

How Does XXE attacks Impact business?

Depending on the type of XXE attack, confidentiality, integrity and availability could be impacted due to information leakage, disclosure of confidential data, data exfiltration, remote code execution and denial of service.

Few applications which had reported XXE vulnerabilities

  • IBM QRadar XXE vulnerability could potentially expose sensitive information or consume memory resources (CVE-2020-4509)

  • Palo Alto Networks, Panorama management service was found vulnerable by their internal security team. It was noticed that this vulnerability may allow a remote attacker with network access to its interface, to read arbitrary files on the system (CVE-2020-2012)

  • A vulnerability in the Web UI of Cisco SD-WAN vManage software could allow an authenticated remote attacker to gain read and write access to information that is stored on the affected system (CVE-2020-3405)

How to prevent XXE attacks?

  • Developer training to identify and mitigate XXE

  • Use of JSON and avoid serialization of sensitive data

  • Disable XML external entities and document type definition (DTD) processing in all XML parsers

  • In accordance with OWASP XXE prevention methodology, patch or upgrade all XML processors and libraries in use by the application/underlying operating system. Use dependency checkers and SOAP 1.2 or higher

  • Implement server side input validation by whitelisting, filtering or sanitizing to prevent malicious data within html documents, http headers or nodes

  • Verify XML or XSL file upload functionality validates incoming XML using XSD or similar validation

  • Ensure to perform manual code review along with SAST(static application security testing) tools to help detect XXE

  • As a part of providing defense in depth, implement API security gateway, Web Application Firewalls to detect, monitor and block XXE attacks

Interested in learning how to know if your organization is vulnerable to XXE attacks? Drop us a note now at sales@siemba.io