Risk A4 in OWASP - XML External Entities (XXE)
In our post What is OWASP and why every developer should know it we saw an introduction to OWASP and why it is so important in the development of web applications. Within the TOP TEN project, we are going to delve a little into each of the ten most critical security risks in web applications. Today is the turn of Risk A4 - XML External Entities (XXE).
Definition
This risk refers to any application that interprets and processes an XML. This means that services that work through SOAP are susceptible to this risk.
Examples
- An attacker who prepares an XML referring to a resource or file on the internal network of the server.
- By default, many XML processors allow external entities. SAST tools can identify this vulnerability by inspecting dependencies and settings. Other DAST tools also allow detecting these problems by performing manual steps.
Prevention
- As much as possible, less complex formats should be used, such as JSON.
- Confidential data should not be serialized.
- Use dependency validators, update processors and libraries that process XML, update SOAP to version 1.2 or higher.
- XML external entities and DTD processing should be disabled on all XML parsers in applications.
- Validate data inputs in XML, sanitize and filter data to prevent malicious data in XML.
-