Mitigation

Welcome to the third and last part of XML External Entities session. In this part, we will discuss XML external entities flaws mitigation. We will start discussing what makes an application vulnerable, and then we will hunt OWASP Juice Shop vulnerable source code. Before closing the session, we will discuss how to avoid such vulnerabilities. If an application accepts XML directly, allows XML file uploads, or arbitrary input data to be inserted into XML templates later parsed by an XML processor, then it might be vulnerable. If any of the XML processors in the application, or other integrated services, is outdated or has DTD, Document Type Definition, enabled, then the application may be vulnerable or at risk. Security assertion markup language uses XML.

If you’re using it for single signon, then your application may be vulnerable. SOAP prior to version 1.2, when XML entities are passed to the SOAP framework, are likely vulnerable to XXE. Let’s have a look at the source code. From project page, we can jump directly to the GitHub repo and find the file upload route.

This is a function that handles the XML upload.

XMLdoc is the result of calling parse XML function passing in the Upload File content.

Several options are passed to the function, noent is the most suggestive one. Let’s find package documentation and see what this option does.

The XML processor is part of the libxmljs2 package.

Parsecs ML string function sounds like what we are looking for. Let’s see what options does it accept.

The noent option: when set to true, entities’ occurrences will be replaced by the content they hold, previously retrieved by the processor from the resource they point to. This is what makes Juice Shop vulnerable. It should be set to false to prevent XXE attacks.

Make sure that all XML processors and libraries in use by the application or on the underlying operating system are up to date and latest security patches were applied. Upgrade SOAP to SOAP 1.2 or higher. Disable XML External Entities and document type definition features in all XML processors. Check the OWASP cheat sheet XXE Prevention to get more details on how to do it for several programming languages and frameworks. Proper server-side input validation, filtering, and sanitisation are mandatory to prevent hostile data to be included in XML documents, headers, or other integrated systems. In our next session, we will discuss broken access control flaws. Until then, take your time to carefully read the XML External Entities section of OWASP Top 10.