2. What will we see today?
• What is XML External Entities (XXE) attack
• How to prevent it
3. About Me
• 20+ years in software engineering
• 10+ years in application security
• 4+ years Lead Security Architect at Tufin
• www.linkedin.com/in/furmanmichael/
• ultimatesecpro@gmail.com
• Read my blog https://ultimatesecurity.pro/
• Follow me on twitter @ultimatesecpro
• I like to travel, read books and listen to music.
4. About Tufin
• Market Leader in Security Policy Orchestration for
firewalls and cloud
– New Tufin products integrate security into DevOps
pipeline
• Established in 2005
• Used in over 2,000 enterprises, including 40
Fortune 100 companies
• We are constantly growing!
www.tufin.com/careers/
5. What is XML?
• XML stands for eXtensible Markup Language
https://www.w3schools.com/xml/xml_whatis.asp
• XML was designed to store and transport data
• XML tags are not predefined
6. What is XML Entity?
• Entities are used to define shortcuts to characters
(or words)
• Entities can be declared internal, external or
predefined
• Internal entities declaration:
• Usage:
<!ENTITY entity-name "entity-value">
<element>&entity-name;</author>
7. What is XML Entity?
• External entities declaration:
• Usage:
• Predefined entities:
<!ENTITY entity-name SYSTEM "system-identifier">
<element>&entity-name;</author>
< > & " '
8. Why XML Entity is Dangerous?
• An attacker can include hostile content in an XML
document.
• Can be used to execute different attacks.
9. Why XML Entity is Dangerous?
• What happens during the parsing of the file?
• The parser reads the local file.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:////etc/passwd" >]>
<xmlroot><xmlEntry>&xxe;3</xmlEntry></xmlroot>
10. Why XML Entity is Dangerous?
• What happens during the parsing of the file?
• The parser executes the remote HTTP call
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "http://api.geonames.org/timezoneJSON" >]>
<xmlroot><xmlEntry>&xxe;3</xmlEntry></xmlroot>
11. Flow of the attack
• The attack vector: a web application that
accepts XML input and parses it
Browser
WebServer
/etc/passwd
XML Parser
XML with XXE
XXE
XML with XXE
/etc/passwd/etc/passwd
12. Why XML Entity is Dangerous?
• The attack allows to read a local file and to
send its content to an attacker!
13. What is OWASP?
• OWASP - Open Web Application Security Project
• Worldwide not-for-profit organization
• Founded in 2001
• Its mission is to make the software security visible.
14. OWASP Top Ten
• Most successful OWASP Project
• Lists of ten most critical web application
security attacks
• Released first in 2004
• Released each 3 years
• 2007, 2010, 2013, 2017 (current)
15. OWASP Top Ten 2017
• A1 Injection
• A2 Broken Authentication
• A3 Sensitive Data Exposure
• A4 XML External Entities
• A5 Broken Access Control
• A6 Security Misconfiguration
• A7 Cross-Site Scripting (XSS)
• A8 Insecure Deserialization
• A9 Using Components with Known Vulnerabilities
• A10 Insufficient Logging & Monitoring
16. A4 XML External Entities
• Attackers can exploit vulnerable XML processors if they can
upload XML or include hostile content in an XML
document.
https://www.owasp.org/index.php/Top_10-2017_A4-
XML_External_Entities_(XXE)
• The attack can be used to
• extract data
• execute a remote request from the server
• scan internal systems
• perform a denial-of-service attack
• as well as execute other attacks.
17. A4 XXE - How to Prevent
• Disable XML external entity and DTD processing in all
XML parsers in the application, as per the OWASP
Cheat Sheet 'XXE Prevention'.
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Preventio
n_Cheat_Sheet
18. How to Prevent - Unmarshaller
• Configure Unmarshaller according to
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Preventio
n_Cheat_Sheet#Unmarshaller
SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
19. How to Prevent - Unmarshaller
• Use preconfigured SafeSource
https://gitlab.com/ultimatesecpro/xxeprotection
Source xmlSource = SafeSource.newInstanceFromXmlContent(xml);
final Unmarshaller unmarshaller = JAXBContext.
newInstance(SimpleXmlEntry.class).createUnmarshaller();
final SimpleXmlEntry simpleXmlEntry =
(SimpleXmlEntry)unmarshaller.unmarshal(xmlSource);
20. How to Prevent - DocumentBuilderFactory
• Configure DocumentBuilderFactory according to
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat
_Sheet#JAXP_DocumentBuilderFactory.2C_SAXParserFactory_and_DOM4J
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
dbf.setFeature(FEATURE, true);
FEATURE = "http://xml.org/sax/features/external-general-entities";
dbf.setFeature(FEATURE, false);
...
21. How to Prevent - DocumentBuilderFactory
• Use preconfigured SafeDocumentBuilderFactory
https://gitlab.com/ultimatesecpro/xxeprotection
DocumentBuilder builder = SafeDocumentBuilderFactory.newInstance()
.newDocumentBuilder();
Document doc = builder.parse(new ByteArrayInputStream(xml.getBytes()));
Hi everyone,Thank you for joining the last lecture for today.What will we see today?I will start by giving you an overview of OpenID Connect.I will describe the OpenID Connect protocol, and will show you how it compares to other protocols.
Then, we will review some of OpenID Connect Implementations.
Finally, I will show you one of the best OpenID Connect implementations: Keycloak.
Before we begin, a couple of words about me and the company I work for - Tufin.
I have many years of experience in software development.
Like most of you here today, I particularly like application security.
I started to work in this area more than 10 years ago, and enjoy each day I work on it.
For the last few years, I am responsible for the application security of all Tufin products.
Recently I have started to write a blog – you are more then welcomed to read it.
Something personal: I like traveling, reading books and listening to music.I particularly enjoy listen to jazz.
And now, a couple of words about Tufin.
Tufin is a great company.
It is already over 13 years old.
We have a lot of customers.
Our customers are all around the world: in Israel, USA, Europe, Asia.
Some are huge companies, others are much smaller.
We have customers in many industries. For example: AT&T, BMW and Visa.
Recently we have started to develop products that integrate security into DevOps pipeline.You are more then welcomed to visit our booth.
Tufin is always growing.
When I joined the company about 5 years ago, it took up only one and half floors.
Now it takes up almost 4 floors and that is only in Israel. We have also expanded abroad. We recently opened up a new main office in Boston.
We are always looking for good people.
We are looking for Java, C++, DevOps people.We are looking for Docker and Kubernetes gurus.
You can visit our site to see our open positions in RnD, Sales, Marketing and additional areas.
Who is the attack target
Not to use XML
Implement positive ("whitelisting") server-side input validation, filtering, or sanitization to prevent hostile data within XML documents, headers, or nodes.
https://docs.oracle.com/javase/8/docs/api/javax/xml/XMLConstants.html#ACCESS_EXTERNAL_DTD Default value: The default value is implementation specific and therefore not specified. The following options are provided for consideration:
https://docs.oracle.com/javase/8/docs/api/javax/xml/XMLConstants.html#ACCESS_EXTERNAL_DTD Default value: The default value is implementation specific and therefore not specified. The following options are provided for consideration: