Possible XML External Entity (XXE) attack

The CS.XXE.READER checker flags instances of XML input that are processed by a weakly configured XmlReader parser.

Vulnerability and risk

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input that contains a reference to an external entity is processed by a weakly configured XML parser. This attack can lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Mitigation and prevention

The safest way to prevent an XXE attack is to completely disable DTDs (External Entities). Depending on the parser, the method can be different. For example, in .NET 4.5.2+, XmlReader has DTDs disabled by default, and can become unsafe if DtdProcessing = Parse and XmlResolver is not null.

Vulnerable code example

1  static void LoadXML()
2  {
3      string xxePayload = "<!DOCTYPE doc [<!ENTITY win SYSTEM 'file:///C:/Users/SecretData.txt'>]>" + "<doc>&win;</doc>";
4      string xml = "<?xml version='1.0' ?>" + xxePayload;
6      XmlReaderSettings settings = new XmlReaderSettings(); // XmlReaderSettings processes Dtd and 
                                                          // uses a non-null XmlResolver, so it is unsafe.
7      settings.DtdProcessing = DtdProcessing.Parse;
8      settings.XmlResolver = new XmlUrlResolver();
9      XmlReader reader = XmlReader.Create(xml, settings);
10     while (reader.Read())
11     { ... }
12 }

Fixed code example

1  static void LoadXML() {
2      string xxePayload = "<!DOCTYPE doc [<!ENTITY win SYSTEM 'file:///C:/Users/SecretData.txt'>]>" + "<doc>&win;</doc>";
3      string xml = "<?xml version='1.0' ?>" + xxePayload;
5      XmlReaderSettings settings = new XmlReaderSettings(); // Using the default safe settings
6      XmlReader reader = XmlReader.Create(xml, settings);
7      while (reader.Read())
8      { ... }
9  }

Security training

Application security training materials provided by Secure Code Warrior.