AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

XML External Entity Parsing

The attacker can access sensitive application and server data, cause denial of service, initiate server side network connection

Severity

Critical

Fix Cost

Low

Trust Level

High

XML 1.0 standard defines entities within Document Type Declaration (DTDs) as variables like in programming languages. DTD is a substandard that defines grammar of the XML is relates to. So that when parsed, it can used to check the structure of the XML whether it fits with the rules.

An attacker with the ability to send any XML (or parts of an XML) to an XML parsing application with DTD processing enabled may be able to inject entities and then process or expand them.

The code snippet below, when parsing input XML, parses DTD pieces alongside with the XML and allow attacker to provide malicious entities.

                                     
XmlReaderSettings settings = new XmlReaderSettings()
{
DtdProcessing = DtdProcessing.Parse
};

XmlReader xmlReader = XmlReader.Create(args[0], settings);
var root = XDocument.Load(xmlReader, LoadOptions.PreserveWhitespace);

foreach (var reportItemElement in root.Root.Elements("issue"))
{
…

            
            

Here’s a simple XML that an attacker can use with which he would be able to access server side hosts file that he can’t possible access otherwise.

            
<?xml version="1.0" ?>

<!DOCTYPE issues [
<!ENTITY foo SYSTEM 'file:///C:/Windows/System32/drivers/etc/hosts'>]>
<issues>
<issue>
<severity>&foo;</severity>
<name>My Issue</name>
</issue>
</issues>
         

XML 1.0 standard defines entities within Document Type Declaration (DTDs) as variables like in programming languages. DTD is a substandard that defines grammar of the XML is relates to. So that when parsed, it can used to check the structure of the XML whether it fits with the rules.

An attacker with the ability to send any XML (or parts of an XML) to an XML parsing application with DTD processing enabled may be able to inject entities and then process or expand them.

The code snippet below, when parsing input XML, parses DTD pieces alongside with the XML and allow attacker to provide malicious entities.

              
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
DocumentBuilder db = dbf.newDocumentBuilder();
Document doc = db.parse(file);
doc.getDocumentElement().normalize();
NodeList nodeList = doc.getElementsByTagName("issue");                  
            
         

Here’s a simple XML that an attacker can use with which he would be able to access server side hosts file that he can’t possible access otherwise.

            
<?xml version="1.0"?>
<!DOCTYPE issues [
<!ENTITY foo SYSTEM 'file:///C:/Windows/System32/drivers/etc/hosts'>]>
<issues>
<issue>
<severity>&foo;</severity>
<name>My Issue</name>
</issue>
</issues>
                
            

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!