Corgea LogoCorgea Security Hub

CWE-827: Improper Control of Document Type Definition

Learn about CWE-827 (Improper Control of Document Type Definition), its security impact, exploitation methods, and prevention guidelines.

What is Improper Control of Document Type Definition?

• Overview: Improper Control of Document Type Definition (CWE-827) occurs when software does not properly restrict references to Document Type Definitions (DTDs), allowing attackers to manipulate these references and potentially execute malicious actions.

• Exploitation Methods:

  • Attackers can exploit this by injecting or referencing malicious DTDs that the application processes, leading to unintended behavior.
  • Common attack patterns include XML External Entity (XXE) attacks, where malicious XML content is used to access sensitive files or perform unauthorized requests.

• Security Impact:

  • Direct consequences include unauthorized access to sensitive files, excessive resource consumption, and execution of unwanted HTTP requests.
  • Potential cascading effects involve denial of service, data breaches, and system compromise.
  • Business impact may involve loss of customer trust, legal repercussions, and financial losses due to downtime or data breaches.

• Prevention Guidelines:

  • Disable DTD processing in XML parsers where possible to prevent unwanted DTD references.
  • Use secure parsing libraries and frameworks that are updated to handle such vulnerabilities.
  • Validate and sanitize all XML inputs rigorously to ensure no malicious content can be processed.
  • Employ security mechanisms like XML firewalls or WAFs to monitor and block suspicious XML traffic.
Corgea can automatically detect and fix Improper Control of Document Type Definition in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: XML

Affected Technologies: Not specified

Vulnerable Code Example

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE note SYSTEM "http://example.com/external.dtd">
<note>
    <to>User</to>
    <from>Admin</from>
    <heading>Reminder</heading>
    <body>Don't forget the meeting at 10am.</body>
</note>

Explanation:

  • Line 2: The <!DOCTYPE note SYSTEM "http://example.com/external.dtd"> declaration allows the XML parser to load an external DTD. This can lead to several security issues:
    • File Disclosure: An attacker can craft a malicious DTD to access sensitive files on the system.
    • Denial of Service: By referencing large external DTDs, an attacker could exhaust system resources.
    • SSRF (Server-Side Request Forgery): The parser could be tricked into making HTTP requests to unintended endpoints.

How to fix Improper Control of Document Type Definition?

To mitigate this vulnerability, it is crucial to:

  1. Disable external DTD processing: This prevents the XML parser from accessing external resources.
  2. Use secure parser configurations: Ensure that the parser is configured to restrict external entities and DTDs.
  3. Validate and sanitize input: Always validate XML input against a known schema without external dependencies.

In Java, for example, you can configure the XML parser to disable DTDs and external entities by setting appropriate features on the DocumentBuilderFactory.

Fixed Code Example

import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.DocumentBuilder;
import org.w3c.dom.Document;
import java.io.File;

public class SecureXMLParser {
    public Document parseXML(String xmlFile) throws Exception {
        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
        // Disable DTDs (do not load external DTDs)
        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        // Disable external entities
        factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
        factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
        
        DocumentBuilder builder = factory.newDocumentBuilder();
        return builder.parse(new File(xmlFile));
    }
}

Explanation:

  • Line 3: Disables the use of DOCTYPE declarations in the XML, which prevents the parser from processing both internal and external DTDs.
  • Lines 4-5: Disables the processing of external general and parameter entities to mitigate potential SSRF attacks.
  • Overall: These configurations ensure that the XML parser is secured against CWE-827 vulnerabilities by preventing exploitation through external DTDs or entities. The use of setFeature instead of setAttribute is the correct approach for configuring parser features in Java.

By following these steps, the XML parser is protected from external entity injection and other related vulnerabilities.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-827: Improper Control of Document Type Definition and get remediation guidance

Start for free and no credit card needed.