Improper Restriction of XML External Entity Reference ('XXE') [CWE-611]

Improper Restriction of XML External Entity Reference or XXE describes the case where XML parser is not correctly configured and allows the attacker to directly interact with local or external files.

Created: June 11, 2018
Latest Update: December 29, 2020

Table of Content

1. Description
2. Potential impact
3. Attack patterns
4. Affected software
5. Severity and CVSS Scoring
6. Mitigations
7. Vulnerability Remediation Techniques and Examples
8. References

Want to have an in-depth understanding of all modern aspects of
Improper Restriction of XML External Entity Reference ('XXE') [CWE-611]? Read carefully this article and bookmark it to get back later, we regularly update this page.

1. Description

The weakness is caused by an error while parsing an XML file that contains XML entities with URIs that can resolve to documents outside the intended location. If the application fails to check path to documents before including them, the attacker is able to include arbitrary file from local or remote system and trigger the application to display it.

The XXE attack is constructed around XML language capabilities to define arbitrary entities using the external Data Type Definition (DTD) and the ability to read or execute files.

Below is an example of XML file that when processed may return output of local “/etc/passwd” file:

Another example shows how to request an external resource using the same vulnerability:

The attacker can also be able to execute arbitrary commands on the system by leveraging third-party software, e.g. “expect” PHP module. The PoC code below will list files and directories in the current application folder by running “/bin/ls” command:

2. Potential impact

XXE is a very dangerous vulnerability. Depending on application implementation and the application environment the impact may vary from local / remote file inclusion to remote command execution and full system compromise. This vulnerability can be used also to perform port scans of the vulnerable system or servers located in the internal network.

3. Attack patterns

This vulnerability is associated with the following attack patterns:

• CAPEC-201: XML Entity Blowup
• CAPEC-221: XML External Entities
• CAPEC-231: XML Oversized Payloads

4. Affected software

Software that processes XML files can be affected by this issue.

5. Severity and CVSS Scoring

This is extremely dangerous vulnerability. It may allow an attacker to compromise vulnerable system as is most likely scored as Critical:
9.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] - Critical

6. Mitigations

This vulnerability is usually introduced to the application during the architecture and design phase. In most cases it is impossible to mitigate this vulnerability without modification of the application source code.

7. Vulnerability Remediation Techniques and Examples

To avoid exploitation of XEE vulnerability the best approach is to disable the ability to load entities from external source.

Below are several examples how to disable external entities:

.NET 3.5

.NET 4.0

PHP

8. References

1. CWE-611: Improper Restriction of XML External Entity Reference ('XXE') [cwe.mitre.org]
2. XmlReaderSettings.DtdProcessing Property [cwe.mitre.org]
3. libxml_disable_entity_loader — Disable the ability to load external entities [php.net]

Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to ImmuniWeb is given.