Blog

OWASP #4 XML EXTERNAL ENTITIES (XXE)

2021-08-09 | By Jason Lu

The safest way to prevent XXE is to always disable External Entities completely. Disabling these also makes the parser secure against denial of services (DOS) attacks such as Billion Laughs CVE-2019-5442 which is specifically aimed at parsers of XML documents.

In October 2019, the Kubernetes API server GitHub repository by StackRox was discovered to have a security issue through its deployment of YAML that makes it vulnerable to the billion laughs attack for DoS. StackRox themselves stated, “The issue once again serves as a reminder that, like all software, Kubernetes is vulnerable to zero-day exploits”.

 

EXAMPLE OF AN ATTACK

This Java example uses the XMLReader library which directly parses this XML file with underlying XML libraries. During this operation, the external entity will be resolved and retrieved i.e. the common.xml, which could be a shared XML file for multiple users of the system and may be controlled by some external user of the system. If a malicious user meticulously crafts some content in that file, it would cause the downstream system to have its configurations endangered.

Previous OWASP article: OWASP #3 Broken Authentification

 

Click here to learn more about the OWASP Top Ten, and how Xcalscan can help you identify and resolve them.

 

You might be interested in

seL4 Summit 2022 Recap

2022-11-01 | By Yuning Liang

As seL4 moves onto automotive applications, having industry standards will be a big step forward for mass adoption. Iso 26262 ASIL-D is well known...

read the story

OWASP #5 Broken Access Control

2021-10-19 | By Jason Lu

In the OWASP Top Ten list, the number 5 vulnerability is Broken Access Control. This is concerned with how web applications grant systems access to...

read the story

通过使用我们的网站,表明您已经阅读并理解我们的Cookie政策及隐私政策