This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Talk:XML External Entity (XXE) Prevention Cheat Sheet

From OWASP
Revision as of 17:05, 7 August 2017 by ErezYalon (talk | contribs) (Problematic mitigation advice)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

The following code suffers from XXE despite the XMLReader recommendations in OWASP that these setFeatures would resolve it.

However, this is not true for XOM.nu (tested on version 1.2.5), a third party XML plugin. I don't know how popular it is, but it is used by Jenkins. Not implying Jenkins is vulnerable, merely that a lib it uses doesn't have proper OWASP usage recommendation.

Anyway, assuming the content of c:\test.txt is "This is TEXT inside the file C:\test.txt" 

   import java.io.InputStream;
   import org.apache.commons.io.IOUtils;
   import org.dom4j.io.SAXReader;
   import org.xml.sax.XMLReader;
   import org.xml.sax.helpers.XMLReaderFactory;
   
   import nu.xom.*;
   public class helloworld {
          public static void main(String[] args) throws Exception {
                 
                 //To get this to run, the file c:\test.txt must exist and have content. alternatively, change the path in <!ENTITY xxe SYSTEM "file:///[file]" 
                 String newline = System.getProperty("line.separator");
                 String xml = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>" + newline +
                              "<!DOCTYPE bar [" + newline +
                              "<!ENTITY xxe SYSTEM \"file:///c:/test.txt\">" + newline +
                              "]>" + newline +
                              "<book>"+ newline +
                              "<author>&xxe;</author>"+ newline +
                              "<isbn>11112222333</isbn>"+ newline +
                              "<title>The Great Big Useless Book of XMLs</title>"+ newline +
                              "</book>";          // Vulnerable XOM Parser  
                 XMLReader xerces = XMLReaderFactory.createXMLReader();
                 //xerces.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
                 xerces.setFeature("http://xml.org/sax/features/external-general-entities", false);
                 xerces.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
             
   xerces.setFeature("http://apache.org/xml/features/nonvalidating/load-
   external-dtd",false);
                 Builder b = new Builder(xerces);
                 InputStream is2 = IOUtils.toInputStream(xml, "UTF-8");
                 Document d = b.build(is2);
                 System.out.println("XOM Reader: " + d.getValue());
       }
   }


Output: XOM Reader: This is TEXT inside the file C:\test.txt 11112222333 The Great Big Useless Book of XMLs


However, by uncommenting 

   //xerces.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

a 'nu.xom.ParsingException' is thrown for this XML, preventing exploitation.

This leads us (Checkmarx Research Group) to believe the recommendations in OWASP for XMLReader are partial; We actually advise removing direct explicit recommendations entirely and demand devs to adhere to specific platform best practices and documentation, instead.

Retrieved from "https://wiki.owasp.org/index.php?title=Talk:XML_External_Entity_(XXE)_Prevention_Cheat_Sheet&oldid=232049"