£199.99 £139.99 for one year of Unlimited learning. Offer ends on 14 November 2022 at 23:59 (UTC). T&Cs apply

Find out more
Mitigation
Skip main navigation

Mitigation

In this video, you will learn about flaw mitigation processes for XXE.
6.9
Welcome to the third and last part of XML External Entities session. In this part, we will discuss XML external entities flaws mitigation. We will start discussing what makes an application vulnerable, and then we will hunt OWASP Juice Shop vulnerable source code. Before closing the session, we will discuss how to avoid such vulnerabilities. If an application accepts XML directly, allows XML file uploads, or arbitrary input data to be inserted into XML templates later parsed by an XML processor, then it might be vulnerable. If any of the XML processors in the application, or other integrated services, is outdated or has DTD, Document Type Definition, enabled, then the application may be vulnerable or at risk. Security assertion markup language uses XML.
54.3
If you’re using it for single signon, then your application may be vulnerable. SOAP prior to version 1.2, when XML entities are passed to the SOAP framework, are likely vulnerable to XXE. Let’s have a look at the source code. From project page, we can jump directly to the GitHub repo and find the file upload route.
107.4
This is a function that handles the XML upload.
125.6
XMLdoc is the result of calling parse XML function passing in the Upload File content.
134.2
Several options are passed to the function, noent is the most suggestive one. Let’s find package documentation and see what this option does.
154.4
The XML processor is part of the libxmljs2 package.
200.2
Parsecs ML string function sounds like what we are looking for. Let’s see what options does it accept.
214.3
The noent option: when set to true, entities’ occurrences will be replaced by the content they hold, previously retrieved by the processor from the resource they point to. This is what makes Juice Shop vulnerable. It should be set to false to prevent XXE attacks.
234
Make sure that all XML processors and libraries in use by the application or on the underlying operating system are up to date and latest security patches were applied. Upgrade SOAP to SOAP 1.2 or higher. Disable XML External Entities and document type definition features in all XML processors. Check the OWASP cheat sheet XXE Prevention to get more details on how to do it for several programming languages and frameworks. Proper server-side input validation, filtering, and sanitisation are mandatory to prevent hostile data to be included in XML documents, headers, or other integrated systems. In our next session, we will discuss broken access control flaws. Until then, take your time to carefully read the XML External Entities section of OWASP Top 10.

In this video, you will learn about flaw mitigation processes for XXE.

We will start by explaining what makes the OWASP Juice Shop application vulnerable. You will watch a demonstration that will show you how to identify these vulnerabilities by looking at the source code.

Investigate and share: In the first XXE video we looked at this OWASP table on XXE. Take some time now to review the table and additional information. What do you think are the key points to remember from this page?

This article is from the free online

Advanced Cyber Security Training: OWASP Top 10 and Web Application Fundamentals

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education