Definition
XML external entity (XXE) is a type of cyberattack where attackers interfere with XML data processing within the web application. The attack happens when a wrongly configured XML parser processes a malicious XML input that contains a reference to an external entity.
Types of XML External Entity Attacks
- In-band: In this attack, the attacker receives an instant response to XXE payload, which is widespread.
- Out-of-band: Also known as blind XXE, attackers don’t get an immediate response from the web app.
Examples of Real-life XML External Entity Attack
Research by Check Point in 2017 uncovered vulnerabilities in reverse-engineering tools and Android development. Issues found could have exposed sensitive data and enabled attackers to take over devices using APKTool.
Preventing XXE Attacks
- Manually deactivate DTDs (external entities).
- Monitor runtime execution by inserting checkpoints in your code.
- Use security tools such as web application firewalls (WAF) and dynamic application security testing (DAST).
- Employ robust measures against XXE by handling errors, limiting permissions, validating all inputs, using authentication and encryption and limiting DNS communications and outbound traffic.
How Do XXE Vulnerabilities Occur?
Some applications transmit data between servers and browsers in XML format. Apps that do this virtually employ platform API or standard library for server-side XML data processing. XXE vulnerabilities occur because the XML specification has various harmful features that standard parsers support even if the application doesn’t normally use them.
What is the Impact of XXE Attacks?
- Disclosure of local files: Threat actors can use relative paths or file schemes in a system identifier to expose sensitive data files.
- Expanding the attack: XXE exploits applications that process XML documents.
- Attackers can take advantage of these trusted applications to spread within the system.
- Remote code execution: An attacker can exploit a malicious URI to execute arbitrary code within the application’s account if the XML processor library is vulnerable to client-side memory compromise.
- Impact on application availability: Some XML attacks can enable attackers to access local resources that continuously provide data. Failure to release excessive threads or processes can negatively affect application availability.