Example analysis of XML external entity injection vulnerability

1. XML external entity injection

XML external entity injection vulnerability is what we often call XXE vulnerability. XML is a widely used data transmission format, and many applications contain code for processing XML data. By default, many outdated or improperly configured XML processors will reference external entities.

If an attacker can upload an XML document or add malicious content to an XML document, through vulnerable code, dependencies, or integrations, they can attack a flawed XML processor. The occurrence of XXE vulnerabilities has nothing to do with the development language. As long as the xml data is parsed in the application and the data is controlled by the user, the application may be vulnerable to XXE attacks. This article takes a java program as an example to introduce the causes and repairs of XXE vulnerabilities. For details on the XXE vulnerability, please see CWE-611: Improper Restriction of XML External Entity Reference ('XXE')(http://cwe.mitre.org/data/definitions/611.html).

2. XML external entity injection

XXE vulnerabilities may be used to extract data, perform remote server requests, scan internal systems, perform denial of service attacks and other attacks. The business impact depends primarily on the affected referrers and data protection needs.

Since 2018, a total of 92 vulnerability information related to it have been released in CVE. Some of the CVEs are as follows:

##CVE-2018-8027Apache Camel 2.20.0 to 2.20. 3 and 2.21.0 Core have an XXE vulnerability in the XSD validation processor. CVE-2018-13439There is an XXE vulnerability in the WXPayUtil class in the WeChat Payment Java SDK. CVE-2018-1000548In Umlet with version number less than 14.3, there is an XML external entity injection vulnerability in file parsing, which may lead to confidential data leakage and rejection Service, server-side request forgery. This attack can be carried out via a specially crafted UXF file. CVE-2018-1364IBM Content Bavigator versions 2.0 and 3.0 are vulnerable to XML External Entity (XXE) attacks when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or occupy memory resources.

3. Sample code

3.1 Defect code

This section uses the sample code source to pay for an open source Java SDK (https:/ /pay.weixin.qq.com/wiki/doc/api/jsapi.php?chapter=11_1), source file name: WXPayUtil.java, file path: java-sdk-v3\src\main\java\com\ github\wxpay\sdk.

In the above code, you can see that the data is passed in through the xmlToMap formal parameter at line 25. The data is not filtered in any way, and the XML processor does not have security settings. The data is parsed at line 32. In the actual scenario, the parameter strXML is also controlled by the attacker, so the attacker may conduct XXE attacks by constructing malicious strXML.

Use 360 ​​Code Guard to detect the above sample code, and you can detect the "risky XML external entity injection" defect on line 32 of the file. As shown in Figure 1:

Figure 1 Risky XML external entity injection detected

3.2 Repair code

In line 28 of the above repair code, an xml tool class WXPayXmlUtil is used to generate a secure xml processor. The most critical thing in the WXPayXmlUtil class is line 16, which uses setFeature to completely disable DTDS in the generated xml processor. As can be seen from Figure 2, 360 Code Guard did not detect defects in the repaired code.

Figure 2 XXE vulnerability repair example

4. How to avoid XXE vulnerabilities

Common Avoidance methods:

1. Use simple data formats (such as JSON) as much as possible to avoid serializing sensitive data;

2. Repair or update applications in a timely manner or All XML processors and libraries used by the underlying operating system. At the same time, update SOAP to version 1.2 or higher through dependency detection;

3. Disable XML external entities and DTD processes in all XML parsers of the application. For specific implementation, please refer to "OWASP Cheat Sheet 'XXE Prevention'》(https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet)

The following code is an example of preventing XXE vulnerabilities when using DocumentBuilderFactory to parse xml in a java application ：

4. Input validation: Use whitelist on the server side for input validation and filtering to prevent malicious data from appearing in XML documents, headers or nodes.

5. Validate XML and XXE vulnerabilities, and the use of ASAT tools can discover XXE vulnerabilities by detecting dependencies and security configurations.

The above is the detailed content of Example analysis of XML external entity injection vulnerability. For more information, please follow other related articles on the PHP Chinese website!