What is XML External Entity attack (XXE attack) & How to prevent as a developer?

As a developer, it's crucial to ensure the security of your APIs. One potential security threat you need to be aware of is XML External Entity attack. Attackers can exploit vulnerabilities in XML parsers to gain access to sensitive data, like files or system details. But don't worry! With the right prevention methods, you can keep your APIs secure and protect your users' data. Let's explore how you can prevent these attacks and safeguard your APIs from malicious actors.

This blog post will cover the following topics:

  1. What is XML External Entity attack or XXE attack ?
  2. Explanation with examples
  3. How to prevent an XXE attack on APIs?

What is XML External Entity attack or XXE attack ?

XXE is a vulnerability in XML processing that attackers exploit to access sensitive data or launch further attacks. This means that if an XML parser processes external entities within an XML document, attackers can inject malicious payloads into the XML data. This, in turn, can lead to information disclosure, denial of service, or even remote code execution. That, in a nutshell is XML External Entity attack, also known as XXE attack.


XXE attack examples:

1. Example of XXE attack in PHP:

This example involves an API endpoint that processes XML input data to obtain information from an external system. The code snippet below demonstrates a vulnerable implementation:

XXE vulnerability in PHP

The code shown here reads the XML data sent in the request body using file_get_contents() with the "php://input" stream. It then creates a DOMDocument object and loads the XML data into it.

However, this code is vulnerable to XML External Entity attack. It does not validate or sanitize the XML input data before processing it. An attacker can craft a malicious XML payload with an external entity reference that points to a malicious file on the server. The following payload demonstrates a simple XXE attack:

XML External Entity attack

Sending this payload to the API endpoint will cause the code to attempt to retrieve the contents of the "/etc/passwd" file, which is a sensitive file on the server. This allows attackers to access sensitive data from the server, including passwords.

How to prevent this XML External Entity attack?

You should first validate and sanitize XML input data before processing it. One way to do this is by disabling external entity resolution in the DOMDocument object.

XXE attack prevention

In the following code snippet, the second argument to the loadXML() method includes two flags. The first argument is LIBXML_NOENT, which disables external entity resolution. The second argument is LIBXML_DTDLOAD, which disables the loading of external DTDs. By doing so, the XML input data is processed safely and securely, avoiding any risk of XXE attack.

2. Example of XXE attack in JavaScript code

XXE attack in javascript

The code above uses the XMLHttpRequest object to make a GET request to a user-supplied URL. The response is parsed using the DOMParser object, and the contents are logged into the console. However, this code is vulnerable to XML External Entity attack. An attacker can craft a malicious XML document with an XXE payload and serve it at the user-supplied URL. This could allow the attacker to access sensitive data, such as files on the server or data from external sources.

How to prevent this XXE attack?

Validate and sanitize the XML data before parsing it. You can use a library like xmldom to do this.

XXE attack prevention using xmldom library

In the updated code, we use the xmldom library to parse XML data. The error handler logs any warnings, errors, or fatal errors that may occur during parsing, allowing us to detect and prevent potential XXE attack.

3. XXE attack in a Node.js application:

The vulnerable code below is parsing XML data received from user input:

XML External entity vulnerability in Nodejs

In this example, the attacker used the parseString function from the xml2js library to parse XML data received from user input in the req.body.xml variable. An attacker can exploit this vulnerability by crafting an XML External Entity attack (XXE) payload in the XML data. By doing so, the attacker can gain access to sensitive information, such as the contents of files on the server.

For example, the attacker can create an XXE payload as follows:

XXE attack

This payload will cause the parseString function to retrieve the contents of the /etc/passwd file and display it in the response. To prevent XML External Entity attack, you should first validate and sanitize user input before processing it. Secondly, you should disable external entity parsing in the XML parser.

Here's a code snippet to prevent XXE attack:

XXE attack prevention

In this code, we utilize the Parser constructor from the xml2js library. The option "forbidDoctype" is set to true, which disables external entity parsing and prevents XXE attack.

How to prevent an XXE attack on APIs?

There are several ways to prevent XML External Entity attack on APIs:

  1. Disable Document Type Definitions (DTDs): Disable DTDs to reduce the attack surface. By doing so, the attacker can no longer specify a malicious DTD.
  2. Input validation: Ensure that any XML input received is properly validated. This ensures that XML data does not contain any malicious content and prevents XXE attack.
  3. Ensure the correct Content-Type header: Specify the correct content-type header. This ensures that the parser parses only the expected content type. The content-type header indicates the media type of the request body. To prevent XXE attack, set the Content-Type header to a specific value. For JSON requests, set the Content-Type header to application/json. This indicates that the request body contains JSON data. This can help prevent XXE attacks because JSON parsers do not support XML entities.
  4. Update software and libraries: Update software and patch regularly. This can prevent XXE vulnerability by fixing any known vulnerabilities in the software.

Note: The above XML External Entity attack scenarios are just illustrations for developers. The validation/prevention process may be more complex in real-world scenarios. Do you want to see this as an automated test in Akto? If yes, go ahead and create a issue in our open source repository. Stay tuned to the Akto blog for more of these critical API vulnerabilities.

How IDOR caused exposure of Florida’s tax filers’ data?

Bank account data of hundreds of taxpayers were disclosed due to IDOR vulnerability
Read full post

How to run bash commands on AWS EC2 instance restart ?

Amazon EC2 instances are great for many kinds of workloads. Amazon provides the option to
Read full post