Talk:XML External Entity (XXE) Prevention Cheat Sheet - Revision history

Wichers at 02:21, 21 November 2017

2017-11-21T02:21:08Z

Wichers at 02:20, 21 November 2017

2017-11-21T02:20:28Z

Wichers at 02:19, 21 November 2017

2017-11-21T02:19:36Z

ErezYalon: Problematic mitigation advice

2017-08-07T17:05:53Z

Problematic mitigation advice

New page

The following code suffers from XXE despite the [[XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#XMLReader|XMLReader recommendations in OWASP]] that these '''setFeatures''' would resolve it.

However, this is not true for XOM.nu (tested on version 1.2.5), a third party XML plugin. I don't know how popular it is, but it is used by Jenkins. Not implying Jenkins is vulnerable, merely that a lib it uses doesn't have proper OWASP usage recommendation.

Anyway, assuming the content of c:\test.txt is "'''This is TEXT inside the file C:\test.txt'''"

import java.io.InputStream;
import org.apache.commons.io.IOUtils;
import org.dom4j.io.SAXReader;
import org.xml.sax.XMLReader;
import org.xml.sax.helpers.XMLReaderFactory;

import nu.xom.*;
public class helloworld {
public static void main(String[] args) throws Exception {

//To get this to run, the file c:\test.txt must exist and have content. alternatively, change the path in <!ENTITY xxe SYSTEM "file:///[file]"
String newline = System.getProperty("line.separator");
String xml = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>" + newline +
"<!DOCTYPE bar [" + newline +
"<!ENTITY xxe SYSTEM \"file:///c:/test.txt\">" + newline +
"]>" + newline +
"<book>"+ newline +
"<author>&xxe;</author>"+ newline +
"<isbn>11112222333</isbn>"+ newline +
"<title>The Great Big Useless Book of XMLs</title>"+ newline +
"</book>"; // Vulnerable XOM Parser
XMLReader xerces = XMLReaderFactory.createXMLReader();
//xerces.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
xerces.setFeature("http://xml.org/sax/features/external-general-entities", false);
xerces.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

xerces.setFeature("http://apache.org/xml/features/nonvalidating/load-
external-dtd",false);
Builder b = new Builder(xerces);
InputStream is2 = IOUtils.toInputStream(xml, "UTF-8");
Document d = b.build(is2);
System.out.println("XOM Reader: " + d.getValue());
}
}

'''Output:'''
XOM Reader:
This is TEXT inside the file C:\test.txt
11112222333
The Great Big Useless Book of XMLs

However, by uncommenting
//xerces.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
a ''''nu.xom.ParsingException'''' is thrown for this XML, preventing exploitation.

This leads us (Checkmarx Research Group) to believe the recommendations in OWASP for XMLReader are partial; We actually advise removing direct explicit recommendations entirely and demand devs to adhere to specific platform best practices and documentation, instead.

← Older revision		Revision as of 02:21, 21 November 2017
Line 1:		Line 1:
−	The following code suffers from XXE despite the (prior to Sept.	+	The following code suffers from XXE despite the (prior to Sept. 2017) [[XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#XMLReader\|XMLReader recommendations in OWASP]] that these '''setFeatures''' would resolve it.
−	2017) [[XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#XMLReader\|XMLReader recommendations in OWASP]] that these '''setFeatures''' would resolve it.

	However, this is not true for XOM.nu (tested on version 1.2.5), a third party XML plugin. I don't know how popular it is, but it is used by Jenkins. Not implying Jenkins is vulnerable, merely that a lib it uses doesn't have proper OWASP usage recommendation.		However, this is not true for XOM.nu (tested on version 1.2.5), a third party XML plugin. I don't know how popular it is, but it is used by Jenkins. Not implying Jenkins is vulnerable, merely that a lib it uses doesn't have proper OWASP usage recommendation.

← Older revision		Revision as of 02:20, 21 November 2017
Line 1:		Line 1:
−	The following code suffers from XXE despite the [[XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#XMLReader\|XMLReader recommendations in OWASP]] that these '''setFeatures''' would resolve it.	+	The following code suffers from XXE despite the (prior to Sept.
		+	2017) [[XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#XMLReader\|XMLReader recommendations in OWASP]] that these '''setFeatures''' would resolve it.

	However, this is not true for XOM.nu (tested on version 1.2.5), a third party XML plugin. I don't know how popular it is, but it is used by Jenkins. Not implying Jenkins is vulnerable, merely that a lib it uses doesn't have proper OWASP usage recommendation.		However, this is not true for XOM.nu (tested on version 1.2.5), a third party XML plugin. I don't know how popular it is, but it is used by Jenkins. Not implying Jenkins is vulnerable, merely that a lib it uses doesn't have proper OWASP usage recommendation.

← Older revision		Revision as of 02:19, 21 November 2017
Line 53:		Line 53:

	This leads us (Checkmarx Research Group) to believe the recommendations in OWASP for XMLReader are partial; We actually advise removing direct explicit recommendations entirely and demand devs to adhere to specific platform best practices and documentation, instead.		This leads us (Checkmarx Research Group) to believe the recommendations in OWASP for XMLReader are partial; We actually advise removing direct explicit recommendations entirely and demand devs to adhere to specific platform best practices and documentation, instead.
		+
		+	NOTE: This missing setting has been fixed in the cheat sheet. I (Dave Wichers) fixed it a few weeks ago before noticing this talk note. Funny how we both independently found/fixed the same thing around the same time.