The safest way to prevent XXE is to always disable External Entities completely. Disabling these also makes the parser secure against denial of services (DOS) attacks such as Billion Laughs CVE-2019-5442 which is specifically aimed at parsers of XML documents.
In October 2019, the Kubernetes API server GitHub repository by StackRox was discovered to have a security issue through its deployment of YAML that makes it vulnerable to the billion laughs attack for DoS. StackRox themselves stated, “The issue once again serves as a reminder that, like all software, Kubernetes is vulnerable to zero-day exploits”.
EXAMPLE OF AN ATTACK
This Java example uses the XMLReader library which directly parses this XML file with underlying XML libraries. During this operation, the external entity will be resolved and retrieved i.e. the common.xml, which could be a shared XML file for multiple users of the system and may be controlled by some external user of the system. If a malicious user meticulously crafts some content in that file, it would cause the downstream system to have its configurations endangered.
Previous OWASP article: OWASP #3 Broken Authentification
Click here to learn more about the OWASP Top Ten, and how Xcalscan can help you identify and resolve them.
You might be interested in
seL4 Summit 2022 Recap
2022-11-01 | By Yuning Liang
As seL4 moves onto automotive applications, having industry standards will be a big step forward for mass adoption. Iso 26262 ASIL-D is well known...
read the story
OWASP #5 Broken Access Control
2021-10-19 | By Jason Lu
In the OWASP Top Ten list, the number 5 vulnerability is Broken Access Control. This is concerned with how web applications grant systems access to...
read the story