XML External Entity Injection via external file
Description
XML External Entity (XXE) injection occurs when an XML parser processes untrusted XML input containing references to external entities. XML parsers can be configured to resolve external entities, which are directives that instruct the parser to include content from external sources (files, URLs, etc.) during processing. When an attacker controls the XML input, they can define malicious external entities that reference sensitive local files or internal network resources. The parser will then retrieve and include this content in the XML document, potentially exposing it to the attacker. This vulnerability was detected by submitting XML containing an external entity reference that successfully triggered an outbound request to a controlled domain, confirming the parser processes external entities.
Remediation
Implement the following measures to prevent XML External Entity injection:<br/><br/><strong>1. Disable External Entity Processing (Recommended):</strong><br/>Configure your XML parser to disable external entity resolution entirely. Implementation varies by parser:<br/><br/><pre>// Java (DocumentBuilderFactory) DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); dbf.setXIncludeAware(false); dbf.setExpandEntityReferences(false); // PHP (libxml) libxml_disable_entity_loader(true); // Python (lxml) from lxml import etree parser = etree.XMLParser(resolve_entities=False, no_network=True) // .NET XmlReaderSettings settings = new XmlReaderSettings(); settings.DtdProcessing = DtdProcessing.Prohibit; settings.XmlResolver = null;</pre><br/><strong>2. Use Less Complex Data Formats:</strong><br/>Consider using JSON or other simpler data formats that don't support external entities if XML features are not required.<br/><br/><strong>3. Input Validation:</strong><br/>Validate and sanitize all XML input against a strict schema (XSD). Reject documents containing DOCTYPE declarations if they are not required by your application.<br/><br/><strong>4. Keep Libraries Updated:</strong><br/>Ensure all XML processing libraries are updated to the latest versions with security patches applied.<br/><br/><strong>5. Apply Least Privilege:</strong><br/>Run XML parsing processes with minimal filesystem and network permissions to limit the impact of successful exploitation.