SAML Consumer Service XML entity injection (XXE)
Description
The application's SAML Consumer Service uses an XML parser that is vulnerable to XML External Entity (XXE) injection. XXE vulnerabilities occur when an XML parser processes external entity references within XML documents without proper restrictions. An unauthenticated attacker can exploit this by submitting a malicious SAML response containing external entity declarations, allowing them to read arbitrary files from the server's filesystem or perform Server-Side Request Forgery (SSRF) attacks against internal or external systems.
Remediation
Disable XML external entity processing in the SAML XML parser. The specific implementation depends on the XML parser library being used:
For PHP (libxml):
// Disable external entity loading libxml_disable_entity_loader(true); // Parse XML without entity substitution $dom = new DOMDocument(); $dom->loadXML($samlResponse, LIBXML_NONET);
For Java (DocumentBuilderFactory):
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);
For .NET:
XmlReaderSettings settings = new XmlReaderSettings(); settings.DtdProcessing = DtdProcessing.Prohibit; settings.XmlResolver = null; XmlReader reader = XmlReader.Create(samlStream, settings);
For Python (lxml):
from lxml import etree parser = etree.XMLParser(resolve_entities=False, no_network=True) doc = etree.fromstring(saml_response, parser)
Additionally, consider using well-maintained SAML libraries that have XXE protections enabled by default, and keep all XML parsing libraries updated to the latest versions.