CS.XXE.READER
Possible XML External Entity (XXE) attack
The CS.XXE.READER checker flags instances of XML input that are processed by a weakly configured XmlReader parser.
Vulnerability and risk
An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input that contains a reference to an external entity is processed by a weakly configured XML parser. This attack can lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.
Mitigation and prevention
The safest way to prevent an XXE attack is to completely disable DTDs (External Entities). Depending on the parser, the method can be different. For example, in .NET 4.5.2+, XmlReader has DTDs disabled by default, and can become unsafe if DtdProcessing = Parse and XmlResolver is not null.
Vulnerable code example
static void LoadXML()
{
string xxePayload = "<!DOCTYPE doc [<!ENTITY win SYSTEM 'file:///C:/Users/SecretData.txt'>]>" + "<doc>&win;</doc>";
string xml = "<?xml version='1.0' ?>" + xxePayload;
XmlReaderSettings settings = new XmlReaderSettings(); // XmlReaderSettings processes Dtd and
// uses a non-null XmlResolver, so it is unsafe.
settings.DtdProcessing = DtdProcessing.Parse;
settings.XmlResolver = new XmlUrlResolver();
XmlReader reader = XmlReader.Create(xml, settings);
while (reader.Read())
{ ... }
}Fixed code example
static void LoadXML() {
string xxePayload = "<!DOCTYPE doc [<!ENTITY win SYSTEM 'file:///C:/Users/SecretData.txt'>]>" + "<doc>&win;</doc>";
string xml = "<?xml version='1.0' ?>" + xxePayload;
XmlReaderSettings settings = new XmlReaderSettings(); // Using the default safe settings
XmlReader reader = XmlReader.Create(xml, settings);
while (reader.Read())
{ ... }
}Related checkers
External guidance
Security training
Application security training materials provided by Secure Code Warrior.
