February 27, 2023
As a developer, it's crucial to ensure the security of your APIs. One potential security threat you need to be aware of is XML External Entity attack. Attackers can exploit vulnerabilities in XML parsers to gain access to sensitive data, like files or system details. But don't worry! With the right prevention methods, you can keep your APIs secure and protect your users' data. Let's explore how you can prevent these attacks and safeguard your APIs from malicious actors.
This blog post will cover the following topics:
XXE is a vulnerability in XML processing that attackers exploit to access sensitive data or launch further attacks. This means that if an XML parser processes external entities within an XML document, attackers can inject malicious payloads into the XML data. This, in turn, can lead to information disclosure, denial of service, or even remote code execution. That, in a nutshell is XML External Entity attack, also known as XXE attack.
This example involves an API endpoint that processes XML input data to obtain information from an external system. The code snippet below demonstrates a vulnerable implementation:
The code shown here reads the XML data sent in the request body using file_get_contents() with the "php://input" stream. It then creates a DOMDocument object and loads the XML data into it.
However, this code is vulnerable to XML External Entity attack. It does not validate or sanitize the XML input data before processing it. An attacker can craft a malicious XML payload with an external entity reference that points to a malicious file on the server. The following payload demonstrates a simple XXE attack:
Sending this payload to the API endpoint will cause the code to attempt to retrieve the contents of the "/etc/passwd" file, which is a sensitive file on the server. This allows attackers to access sensitive data from the server, including passwords.
How to prevent this XML External Entity attack?
You should first validate and sanitize XML input data before processing it. One way to do this is by disabling external entity resolution in the DOMDocument object.
In the following code snippet, the second argument to the loadXML() method includes two flags. The first argument is LIBXML_NOENT, which disables external entity resolution. The second argument is LIBXML_DTDLOAD, which disables the loading of external DTDs. By doing so, the XML input data is processed safely and securely, avoiding any risk of XXE attack.
The code above uses the XMLHttpRequest object to make a GET request to a user-supplied URL. The response is parsed using the DOMParser object, and the contents are logged into the console. However, this code is vulnerable to XML External Entity attack. An attacker can craft a malicious XML document with an XXE payload and serve it at the user-supplied URL. This could allow the attacker to access sensitive data, such as files on the server or data from external sources.
How to prevent this XXE attack?
Validate and sanitize the XML data before parsing it. You can use a library like xmldom to do this.
In the updated code, we use the xmldom library to parse XML data. The error handler logs any warnings, errors, or fatal errors that may occur during parsing, allowing us to detect and prevent potential XXE attack.
The vulnerable code below is parsing XML data received from user input:
In this example, the attacker used the parseString function from the xml2js library to parse XML data received from user input in the req.body.xml variable. An attacker can exploit this vulnerability by crafting an XML External Entity attack (XXE) payload in the XML data. By doing so, the attacker can gain access to sensitive information, such as the contents of files on the server.
For example, the attacker can create an XXE payload as follows:
This payload will cause the parseString function to retrieve the contents of the /etc/passwd file and display it in the response. To prevent XML External Entity attack, you should first validate and sanitize user input before processing it. Secondly, you should disable external entity parsing in the XML parser.
Here's a code snippet to prevent XXE attack:
In this code, we utilize the Parser constructor from the xml2js library. The option "forbidDoctype" is set to true, which disables external entity parsing and prevents XXE attack.
There are several ways to prevent XML External Entity attack on APIs:
Note: The above XML External Entity attack scenarios are just illustrations for developers. The validation/prevention process may be more complex in real-world scenarios. Do you want to see this as an automated test in Akto? If yes, go ahead and create a issue in our open source repository. Stay tuned to the Akto blog for more of these critical API vulnerabilities.