Join Caroline Wong for an in-depth discussion in this video General concept, part of OWASP Top 10: #3 Sensitive Data Exposure and #4 External Entities (XXE).
- The fourth item in the OWASP Top 10 is XXE, which stands for XML External Entity attack. The official OWASP description says, many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal SMB file shares on unpatched Windows servers, internal port scanning, remote code execution, and denial of service attacks, such as the Billion Laughs attack. Let's break this down and explore what this actually means. In an injection attack, a malicious user submits untrusted data, which is then operated on by the application. If the application treats untrusted data the same way that it treats trusted data, then there's potential for either malicious or unintended behavior to occur. XXE is a type of injection attack, one that applies to XML. XML parsers which are not configured securely will read and execute external files in XML documents. This can result in application behavior which was not expected or intended. Let's pause for a moment. Before we continue our discussion on XXE, I want to say a few things about XML. XML stands for Extensible Markup Language. You can think of XML as a way to create custom forms in order to store and transfer data between multiple parties. The cool thing about XML is it is self-descriptive which means that you can define tags and document structures to create a custom template. What kinds of documents can you build in XML? Well, let's consider a resume. Using XML, you can use tags to specify different elements, like name, employers, credentials, et cetera. Elements can also be nested so that an element called certifications might include nested elements like certification name, date acquired, and certification number. You can use XML to define a standard format for a resume so that information can be shared easily between different systems. For example, if a job's posting website needs to share a candidate's resume with an employer's internal recruiting app, XML can be used to define a standard format so that these systems can effectively talk to each other. Let's get back to XXE. How does an attack work? Most people are familiar with the idea that if you receive an email with a mysterious link in it, that link could be legitimate or it might be malicious. You can think about external entities in XML documents as being similar to those mysterious links in your email. Sometimes they point to legitimate data sources and other times they can cause behavior that's not intended or expected. Another way to think about it is kind of like a macro, like the type you might use in Excel. Macros can be used to automatically execute a series of instructions. If an XML processor is not configured securely, when it's checking an XML file for correctness, it might accidentally execute a macro that's been injected by a malicious person.