Skip main navigation

Threat Analysis

This video describes Extensible Markup Language (XML), the role of processors, and XML External Entities (XXE).
Welcome to the XML External Entities session. In this first part, we will focus on threat analysis. We will take our time to dig into XML format, XML external entities feature, and XXE processing flaws details. Then we will discuss how the system can be harmed, the impact of successful exploitation, and give you some insights to identify who may want to harm your system. Let’s do this step by step starting from the beginning. XML, or Extensible Markup Language, is a markup language that defines a document format that is both human and machine readable. How does it look like? As you surely agree, this is definitely human readable.
We have a books catalogue with two entries– BookID1, the OWASP Top 10 2017 edition with several metadata, and BookID2, just with information about its author and title. This format is also machine readable by a specific type of software– processors. Processors take XML as input, walking through the content to build a structural representation of the input. This representation can be manipulated more easily for, for example, storing data in a database or output it in another format such as HTML. While doing this, processors can also do some additional tasks based on the input directives. The XML standard defines a concept called entity, which is a storage unit of some type. External entities point to local or remote content using a URI.
Then the processor is responsible to request such URI and replace occurrences of the named external entity in the document by the retrieved content. This is how it works. We declare our external entity, Desc1, whose contents should be loaded from the description.txt file. The processor requests the file content, and then by walking through the XML document, whenever Desc1 entity is found, it gets replaced by the loaded content. You may already know where this will end up. Assuming you are accepting XML file uploads to show their content in your web application, then chances are a malicious user will be able to read the arbitrary files from your system using this technique. We will see this in action in the second part.
To exploit XML external entities processing, attackers should be able to upload malicious XML documents, inject hostile data in existing XML templates processed by the system, or use integrated systems and services to retrieve remote hostile data. Abusing vulnerable XML processors may allow attackers to gather local data relative to the system where the processor is running. Since server side requests forgery is also possible, attackers may be able to gather other internal content via HTTP or HTTPS. XXE can also be used to perform port scanning to enumerate and fingerprint other internal systems, duch information may allow the attacker to find other vulnerable systems.
Accessing the local resources that did not stop returning data, or creating some sort of XML entity circular reference, can lead to denial of service. This attack is commonly referred to as the [INAUDIBLE] attack. It’s also worth mentioning that, under certain circumstances, XXE may allow remote code execution in the system where the XML processor runs. Based on the impact, your threat agents may get access to data, system information, or even control the system in case where the remote code execution is possible. Your data will always be valuable to someone, either a malicious actor looking for ransom, nation state competitors, or activists highly motivated to spy what you’re doing. You’ll find this table in the OWASP Top 10.
Pause the video and take your time to carefully read it. In the next part, we will exploit our target application to reach some sensitive data.

This video describes Extensible Markup Language (XML), the role of processors, and XML External Entities (XXE).

In this video, you will see XML examples. XML is a markup language that defines the rules for encoding documents in a way that is readable for humans and machines. You will also learn about the processors that take the input to build a data structure and the role of XXE in this process. Once you understand how XML and XXE work to maintain and access your databases, you will learn how to increase the security of your databases.

This article is from the free online

Advanced Cyber Security Training: OWASP Top 10 and Web Application Fundamentals

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education