CWE-611: Improper Restriction of XML External Entity Reference
Learn about CWE-611 (Improper Restriction of XML External Entity Reference), its security impact, exploitation methods, and prevention guidelines.
What is Improper Restriction of XML External Entity Reference?
• Overview: This vulnerability occurs when an XML parser processes an XML document containing references to external entities, which can be manipulated by attackers to access unauthorized files or resources.
• Exploitation Methods:
- Attackers can exploit this by defining an external entity in an XML document that references a file or resource using a URI scheme like file:// or http://.
- Common attack patterns include reading sensitive local files, forcing the application to make network requests, and exfiltrating data through error messages.
• Security Impact:
- Direct consequences include unauthorized access to sensitive files or data leakage.
- Potential cascading effects include network reconnaissance, bypassing firewalls, and launching further attacks from within the network.
- Business impact can be significant, leading to data breaches, loss of trust, regulatory fines, and financial losses.
• Prevention Guidelines:
- Specific code-level fixes include disabling DTD processing or configuring the XML parser to disallow external entities.
- Security best practices involve validating and sanitizing XML input, using libraries or parsers with secure defaults, and applying the principle of least privilege.
- Recommended tools and frameworks include those that provide secure XML parsing options, such as the use of XML parsers that have external entity resolution disabled by default.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: XML
Affected Technologies: Web Based
Vulnerable Code Example
Java Example
// XMLProcessor.java {8-12}
// Imports for processing XML documents
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.Document;
public class XMLProcessor {
public void processXML(String xmlFile) throws Exception {
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
// Vulnerable configuration: External entities are allowed by default
DocumentBuilder db = dbf.newDocumentBuilder();
Document doc = db.parse(xmlFile);
// Process the XML document
}
}
Explanation
In this vulnerable example, the DocumentBuilderFactory is used without disabling the processing of external entities. This default behavior can allow an attacker to exploit XML External Entity (XXE) vulnerabilities, potentially leading to the disclosure of sensitive information or denial-of-service attacks by accessing external resources referenced in the XML.
How to fix Improper Restriction of XML External Entity Reference?
Fixed Code Example
// XMLProcessor.java {8-17}
// Imports for processing XML documents
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.Document;
public class XMLProcessor {
public void processXML(String xmlFile) throws Exception {
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
// Secure configuration: Disable external DTDs and entities to prevent XXE attacks
dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
DocumentBuilder db = dbf.newDocumentBuilder();
Document doc = db.parse(xmlFile);
// Process the XML document
}
}
Explanation
In the fixed example, the DocumentBuilderFactory is securely configured to prevent the processing of external DTDs and entities. This mitigates the risk of XXE vulnerabilities by ensuring that the XML parser does not attempt to load external resources, thus protecting against potential attacks.