XML External Entity And XML SSRF Attacks

What is XML External Entity Injection, and why is it necessary for any serious enterprise security software? XML is the technology that drives content management on the World Wide Web. It is an extensible markup language that provides both document structuring and data binding capabilities to assist in the construction of meaningful content. XML is commonly used to describe information dynamically or semantically transformed information and is typically transmitted over network connections, such as the Internet or Java. To make the most of this new medium, companies must have highly effective and robust tools customized to take on a wide variety of complex problems and ensure that all data is correctly protected from attack.

What are XML External Entities? XML External entities are nothing but data sent over the network in a format that can be manipulated. An example would be XML data that is encoded into some files. In the case of XML External entities, this is done so that the file could be later referenced by application code without exposing that file’s internal structure to the client program. This allows for a variety of security concerns to be addressed in any application. For instance, what if there were malicious objects embedded within the content?
XML External entities can also be defined within a content model. A content model is a programming model used to specify the relationships and intended behavior between entities within a system. XML External entities are allowed to be defined within these structures since they can be referenced by application code. Thus, only when the application discloses the referenced entity’s internal system, the vulnerability created by an external entity can be exploited.

XML External entities are usually injected into a server-side application using what is known as an SRF (Server Remote Procedure) — a type of scripting or interaction code used to transport information from an application on the server to an application on the client-side. An SRF generally identifies the internal processing of an XML data value during an application’s development. For instance, if an XML data value that was created within an HTML application is then saved into an XML document using what is called an XML Sitemap, an SRF can be defined within this XML document to carry information about the external entity that was initially present within the XML data value. However, this would essentially create a security hole since it would allow any entity on the Internet, including the server that is acting as a liaison for the client application, to be able to read the internal data value of the XML document that was saved on the server-side and consequently view the embedded references within the document.

In addition to XML External entity injections, another type of XML security flaw is created through cross-site scripting (XSS). An XSS is a type of scripting that allows an outside party to access sensitive information, such as database servers’ user names and passwords. Cross-site scripting can also be used to monitor the activities on a website, such as where a user browses and clicks various links within the site, which may then be transferred onto another party’s server and be used for malicious purposes.

These two types of XML security flaws are examples of why web developers need to ensure that they do not perform any XML external entity or XML SSRF attacks while developing their websites. Although these vulnerabilities can largely be prevented, a professional developer can perform XML vulnerability detection and fix any of these vulnerabilities before it is too late. This can ensure that the end-user does not accidentally open any malicious codes or open any harmful files while viewing the website, which can reduce the risk of transmitting sensitive information or performing any kind of activity that might be against the specifications of a particular application. When a developer detects an XML vulnerability, they should immediately attempt to reproduce the issue in a test environment using the XML Editor in the same project as the one where the XML vulnerability was detected. If a reproducing bug is discovered, the affected developer should immediately create an XML Overflow exception to the security policy to alert the system administrators of the problem.