Learn about how attackers perform an injection-style attack on XML-based web services.
- [Instructor] The fourth item in the OWASP Top 10 is XXE or XML External Entities attacks. I'm going to talk about XXE in general terms to help you understand conceptually how this kind of attack works. XXE attacks are actually a subcategory of injection, the first item in the OWASP Top 10. The same fundamental concepts that we discussed with regards to injection, that is number one, code being used to describe both data and commands, and number two, access control apply here to XXE.
This time, it's just in the context of XML-based web services. In order to understand XXE, we first have to understand some basics about XML. What is XML? In simplest terms, it's a document format that is used to communication information between computer systems. One of the nice things about XML is that it is both human readable and machine readable.
You can think about it like a form that has certain fields. An XML document can be designed to have different fields for different types of information. XML is frequently used between applications so that they can talk to each other. Consider a manufacturer and a distributor using web services to manage stock and inventory. They might use XML to communicate details about order and supply between the two organizations.
When XML is sent to an application, an XML processor reads and interprets the data. If an application accepts XML data from an untrusted source, then it's possible for an XXE attack to occur. Similar to the general injection attack that we discussed in chapter one, the code that gets processed by the application may result in the application behaving in a way that was not originally intended.
One example of the type of impact that an XXE attack might have on an application is called Denial of Service or DoS for short. A denial of service attack is pretty much exactly what it sounds like. The result of this type of attack is that the application no longer functions. An attacker who is trying to cause a denial of service typically takes the approach of flooding an application with so much input that the application simply can't handle it and just falls over.
One famous type of attack caused by an XXE vulnerability and resulting in a denial of service is called the billion laughs attack. Unfortunately, this does not refer to the adorable tickle fights that I often get into with my two-year-old daughter. The other less cute names for this type of attack are XML bomb and exponential entity expansion attack. Basically, a malicious XML document causes the XML processor to read a data element that when interpreted expands the original string to one that is 10X.
Each of those expands to one that is 10X and so on until what was originally a very small piece of data ends up taking up enough memory that it is likely to result in the application falling over because it just runs out of memory.