XXE and XEE detection

Ana Gomes / 11.02.2016

0xOPOSEC Meetup

That moment when...

XML input containing a reference to an external entity is processed by a weakly configured XML parser

Snippet

DocumentBuilder db = DocumentBuilderFactory.newInstance().newDocumentBuilder();

Document doc = db.parse(input);

Just a document builder parsing an input...

without validation!

Risk 1: XXE

with local file content exposure

 <?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE age [  
   <!ELEMENT age ANY >
   <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><age>&xxe;</age>

Risk 2: XEE

with denial of service

<?xml version="1.0"?>
<!DOCTYPE lolz [
  <!ENTITY lol "lol">
  <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
  <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
  <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
  <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>

Risk Mitigation

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); 

dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); 

DocumentBuilder db = dbf.newDocumentBuilder(); 
Document doc = db.parse(input);

XXE and XEE - Meetup

By anagomes

Made with Slides.com

XXE and XEE - Meetup

  • 441

More from anagomes