Recommended
More Related Content
What's hot
What's hot (20)
Similar to OWASP A4 XML External Entities (XXE)
Similar to OWASP A4 XML External Entities (XXE) (20)
Recently uploaded
Recently uploaded (20)
OWASP A4 XML External Entities (XXE)
- 1. OWASP A4 XML External Entities Michael Furman Security Architect
- 2. What will we see today? • What is XML External Entities (XXE) attack • How to prevent it
- 3. About Me • 20+ years in software engineering • 10+ years in application security • 4+ years Lead Security Architect at Tufin • www.linkedin.com/in/furmanmichael/ • ultimatesecpro@gmail.com • Read my blog https://ultimatesecurity.pro/ • Follow me on twitter @ultimatesecpro • I like to travel, read books and listen to music.
- 4. About Tufin • Market Leader in Security Policy Orchestration for firewalls and cloud – New Tufin products integrate security into DevOps pipeline • Established in 2005 • Used in over 2,000 enterprises, including 40 Fortune 100 companies • We are constantly growing! www.tufin.com/careers/
- 5. What is XML? • XML stands for eXtensible Markup Language https://www.w3schools.com/xml/xml_whatis.asp • XML was designed to store and transport data • XML tags are not predefined
- 6. What is XML Entity? • Entities are used to define shortcuts to characters (or words) • Entities can be declared internal, external or predefined • Internal entities declaration: • Usage: <!ENTITY entity-name "entity-value"> <element>&entity-name;</author>
- 7. What is XML Entity? • External entities declaration: • Usage: • Predefined entities: <!ENTITY entity-name SYSTEM "system-identifier"> <element>&entity-name;</author> < > & " '
- 8. Why XML Entity is Dangerous? • An attacker can include hostile content in an XML document. • Can be used to execute different attacks.
- 9. Why XML Entity is Dangerous? • What happens during the parsing of the file? • The parser reads the local file. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:////etc/passwd" >]> <xmlroot><xmlEntry>&xxe;3</xmlEntry></xmlroot>
- 10. Why XML Entity is Dangerous? • What happens during the parsing of the file? • The parser executes the remote HTTP call <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "http://api.geonames.org/timezoneJSON" >]> <xmlroot><xmlEntry>&xxe;3</xmlEntry></xmlroot>
- 11. Flow of the attack • The attack vector: a web application that accepts XML input and parses it Browser WebServer /etc/passwd XML Parser XML with XXE XXE XML with XXE /etc/passwd/etc/passwd
- 12. Why XML Entity is Dangerous? • The attack allows to read a local file and to send its content to an attacker!
- 13. What is OWASP? • OWASP - Open Web Application Security Project • Worldwide not-for-profit organization • Founded in 2001 • Its mission is to make the software security visible.
- 14. OWASP Top Ten • Most successful OWASP Project • Lists of ten most critical web application security attacks • Released first in 2004 • Released each 3 years • 2007, 2010, 2013, 2017 (current)
- 15. OWASP Top Ten 2017 • A1 Injection • A2 Broken Authentication • A3 Sensitive Data Exposure • A4 XML External Entities • A5 Broken Access Control • A6 Security Misconfiguration • A7 Cross-Site Scripting (XSS) • A8 Insecure Deserialization • A9 Using Components with Known Vulnerabilities • A10 Insufficient Logging & Monitoring
- 16. A4 XML External Entities • Attackers can exploit vulnerable XML processors if they can upload XML or include hostile content in an XML document. https://www.owasp.org/index.php/Top_10-2017_A4- XML_External_Entities_(XXE) • The attack can be used to • extract data • execute a remote request from the server • scan internal systems • perform a denial-of-service attack • as well as execute other attacks.
- 17. A4 XXE - How to Prevent • Disable XML external entity and DTD processing in all XML parsers in the application, as per the OWASP Cheat Sheet 'XXE Prevention'. https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Preventio n_Cheat_Sheet
- 18. How to Prevent - Unmarshaller • Configure Unmarshaller according to https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Preventio n_Cheat_Sheet#Unmarshaller SAXParserFactory spf = SAXParserFactory.newInstance(); spf.setFeature("http://xml.org/sax/features/external-general-entities", false); spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
- 19. How to Prevent - Unmarshaller • Use preconfigured SafeSource https://gitlab.com/ultimatesecpro/xxeprotection Source xmlSource = SafeSource.newInstanceFromXmlContent(xml); final Unmarshaller unmarshaller = JAXBContext. newInstance(SimpleXmlEntry.class).createUnmarshaller(); final SimpleXmlEntry simpleXmlEntry = (SimpleXmlEntry)unmarshaller.unmarshal(xmlSource);
- 20. How to Prevent - DocumentBuilderFactory • Configure DocumentBuilderFactory according to https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat _Sheet#JAXP_DocumentBuilderFactory.2C_SAXParserFactory_and_DOM4J DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); FEATURE = "http://apache.org/xml/features/disallow-doctype-decl"; dbf.setFeature(FEATURE, true); FEATURE = "http://xml.org/sax/features/external-general-entities"; dbf.setFeature(FEATURE, false); ...
- 21. How to Prevent - DocumentBuilderFactory • Use preconfigured SafeDocumentBuilderFactory https://gitlab.com/ultimatesecpro/xxeprotection DocumentBuilder builder = SafeDocumentBuilderFactory.newInstance() .newDocumentBuilder(); Document doc = builder.parse(new ByteArrayInputStream(xml.getBytes()));
- 23. Summary • You know what is XML External Entities (XXE) attack. • You know how to prevent it.
- 24. Thank you! • Contact me – www.linkedin.com/in/furmanmichael/ – ultimatesecpro@gmail.com – https://ultimatesecurity.pro/ – @ultimatesecpro
Editor's Notes
- Hi everyone, Thank you for joining the last lecture for today. What will we see today? I will start by giving you an overview of OpenID Connect. I will describe the OpenID Connect protocol, and will show you how it compares to other protocols. Then, we will review some of OpenID Connect Implementations. Finally, I will show you one of the best OpenID Connect implementations: Keycloak.
- Before we begin, a couple of words about me and the company I work for - Tufin. I have many years of experience in software development. Like most of you here today, I particularly like application security. I started to work in this area more than 10 years ago, and enjoy each day I work on it. For the last few years, I am responsible for the application security of all Tufin products. Recently I have started to write a blog – you are more then welcomed to read it. Something personal: I like traveling, reading books and listening to music. I particularly enjoy listen to jazz.
- And now, a couple of words about Tufin. Tufin is a great company. It is already over 13 years old. We have a lot of customers. Our customers are all around the world: in Israel, USA, Europe, Asia. Some are huge companies, others are much smaller. We have customers in many industries. For example: AT&T, BMW and Visa. Recently we have started to develop products that integrate security into DevOps pipeline. You are more then welcomed to visit our booth. Tufin is always growing. When I joined the company about 5 years ago, it took up only one and half floors. Now it takes up almost 4 floors and that is only in Israel. We have also expanded abroad. We recently opened up a new main office in Boston. We are always looking for good people. We are looking for Java, C++, DevOps people. We are looking for Docker and Kubernetes gurus. You can visit our site to see our open positions in RnD, Sales, Marketing and additional areas.
- Who is the attack target
- Not to use XML Implement positive ("whitelisting") server-side input validation, filtering, or sanitization to prevent hostile data within XML documents, headers, or nodes.
- https://docs.oracle.com/javase/8/docs/api/javax/xml/XMLConstants.html#ACCESS_EXTERNAL_DTD Default value: The default value is implementation specific and therefore not specified. The following options are provided for consideration:
- https://docs.oracle.com/javase/8/docs/api/javax/xml/XMLConstants.html#ACCESS_EXTERNAL_DTD Default value: The default value is implementation specific and therefore not specified. The following options are provided for consideration:
- https://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl Default: false
- https://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl Default: false
- Thank you for participating in my lecture! Please contact me if you need any additional information, or if you want to send me your resume.