Today we are going to learn about XML External Entity attacks. Before we begin our article on this let us understand what is XML.XML stands for Extensible Markup Language. It is used by applications and websites to store and transmit data around.
XML External Entity attack is a kind of Injection attack. In this attack, the application gets injected with an XML script. These injected scripts contain some harmful instructions. Once it enters an application it starts executing those instructions to cause severe damage to the application.
XML Processor at action
The applications which have support for XML language have an XML processor. This Processor is responsible to execute the XML code in the application. The XML processor should validate the XML code before it starts executing it. If the processor is not configured for the validation of the XML scripts then hackers can take advantage of this vulnerability. This can cause severe damage to the application.
How do XML External Entity attacks work?
An XML attack takes place by executing the code instructions on an application by using RPC ( remote procedure call). This RPC is used to inject the XML script to an application and once the system gets this XML file, the processor starts executing the instructions as per the XML file. In normal use for day to day activity of users, we often see that many of the internet applications ask users to use the login credentials of another social media website as credentials and let users continue to use the website or application.
For example:
Some websites ask users that users can continue with their Gmail, Facebook, Social Media credentials to have access to the contents of the website. When users provide the login credentials then these applications share this information between applications to validate the user credentials, sometime they use XML files to share this data.
The applications accept the XML file and execute certain queries on their databases from this data and sometimes they perform some logic also.
A hacker can take advantage of this entry point and can inject their XML file which has some deadly instructions and can execute this code on your application.
For these kinds of applications, it becomes important to configure the XML processor carefully to pre-validate the XML scripts or data before starts executing this.
How to protect applications against XML External Entity attacks?
- Disable XML RPC
The easiest solution to avoid the XML entity attack is to disable the execution of XML RPC requests. Application or websites can be configured to disable any of the XML executions triggered by RPC. This can be done on the server which you are using for your application. Either you can disable the XML processor itself or you can disable the RPC requests.
You can allow only local XML executions and not allow any remote requests. You can further refine it by blocking such requests from a certain IP address or location.
There are a lot of ways to do this and take advantage of this according to your application needs.
- Whitelisting, Blacklisting to validate inputs
Whitelisting(Positive validation) – This means application or website should validate the XML data to confirm that are we expecting this data or not. Is this data allowed? Is this data authentic? so we should filter all the positive aspects. If it passes all the expected results check then only allow this data.
Blacklisting(Negative validation) – This means application or website should block the data by checking what is not allowed. In this case, we can
validate what is not expected and what is not allowed. If we detect any of the negative aspects we should not allow our application to process this data.
In short, what is allowed and what is not allowed both are important to protect any application against an attack.
- Use Latest XML processors and libraries
Most of the software providers keep updating their software with the latest patches and security updates. We should keep our systems and libraries up to date to avoid any vulnerabilities in the system.
When an issue is found by one software application it gets reported to some of the organizations. Organizations manage the vulnerabilities lists and their latest status.
Using this list all the software developers provide updates to their existing application. These continuous improvements in software and libraries keep them up to date and secure.
While developing or deploying applications we should keep this in mind that we must use the latest and most recent updates.