Don't be afraid of xxE vulnerabilities: understand their ferocity and detection methods

today ,XML External entities (XXE) Loopholes are still everywhere , Although recommendations to protect against these vulnerabilities have been an integral part of security standards for many years . In this article , We will try to uncover XXE The mysterious veil of loopholes , And introduce our rules to help you detect and prevent them .

summary

XML The entity is in XML Document type definition of the document (DOCTYPE) Declarative . If the value of an entity is retrieved from within the document , Then it is internal , If its value is a URI, Then it is external . When subsequently XML When entity references are used in documents , The reference is replaced by the value retrieved for it . for example , following XML Document through URI Retrieve from file xxe The value of the entity , Then embed its contents in the document ：

Handle XML File applications should be careful to restrict external entities to authorized file systems and network resources , Otherwise, it will cause any file leakage and server-side request forgery (SSRF) The attack opened the door ：

Be careful ： Entities can be generic , Pictured above , It can also be a parameter entity . The only difference between the two is that the parameter entity only exists in DTD Defined and used in .

How to detect XXE Loophole ？

Use rules S2755 To save

To help developers understand this topic , The rules S2755 Medium “XML The parser should not be vulnerable to XXE attack ” Apply to SonarLint、SonarCloud And all versions of SonarQube Medium C#、Java、JS/TS、Python、PHP and C/C++.

whenever XML When the processor is configured incorrectly , Even if it only parses trusted XML file , This rule can also cause problems . We think , Controlling and restricting the use of external entities has only the following advantages ：

• For performance reasons ： It is a good practice to reduce the dependence on external resources .
• For safety reasons ： It's hard to guarantee trust XML The file has not been tampered with by a malicious third party in some place or transmission （ As shown below ）.
• Generally speaking ： Once you start parsing XML file , Configure it safely in the project XML The parser makes sense , Even if you think they are credible . such , If XML The parser handles other things that you have no control over XML file , You don't have to worry about the future XXE The risk of vulnerability .

Don't believe it ？ have a look S2755 In various well-known open source projects written in different programming languages , Some actual and serious vulnerabilities found ：

• Previous articles https://blog.sonarsource.com/wordpress-xxe-security-vulnerability in , We talked about the most popular PHP CMS WordPress 5.7 (CVE-2021-29447) Medium XXE Loophole , When an authenticated user uploads a media file ：
  
• pikepdf 2.9.2 (CVE-2021-29421) Medium XXE Loophole , This is a for operating PDF Of documents Python library , When parsing PDF XMP Metadata （ be based on XML） when ：
  
• WxJava 3.7.4.A Medium XXE Loophole , This is a platform for developing wechat mobile payment applications Java SDK：

• In parsing the... From the partner vulnerability scanning tool XML When you file , The popular Python Vulnerability management tools DefectDojo 1.6.4 Medium XXE Loophole ：
  
• Java XMPP The server Openfire Medium XXE Loophole ：

assessment S2755 Suggestions for problems

Evaluate... In your own projects XXE When there is a vulnerability problem , Keep the following points in mind ：

• Consider the worst case , For example, malicious system users manipulate XML file , Or retrieve XML File's infected partner application .
• Read your XML Documentation of the processor , Especially parsing XXE Default behavior of .
• as everyone knows ,Office file 、RSS、PDF、SOAP、SVG、XML-RPC、XMPP Many file formats and technical parts are based on XML standard , So it's hard to notice that by parsing these files , There may be XXE Loophole . therefore , If a rule is triggered S2755, Please don't be surprised , for example , In from PDF File parsing XMP Metadata .

Generalization

In this article , We have seen popular and open source projects written in different programming languages XXE Vulnerability example . I explained how to evaluate XXE Loopholes and rules S2755 What are the benefits of , But only you can prevent the vulnerability , So next time we'll talk about how to fix them .

The authors introduce ：

ERIC THEROND
Security researchers
Source of the article ：https://blog.sonarsource.com/understanding-xxe-vulnerabilities