XML standard allows the inclusion of XML files with the `xinclude` element. When an XML parser component is set up with the `\http://apache.org/xml/features/xinclude` feature, it will follow the standard and allow the inclusion of remote files. == Why is this an issue? When the XML parser will encounter an `xinclude` element, it will try to load the file pointed to by the `href` attribute into the document. Included files can either be local files found on the file system of the application server, or remote files that are downloaded over HTTP, SMB, or other protocols, depending on the capabilities of the application and server. The files that can be accessed that way are only limited by the entitlement of the application on the local system and the network filtering the server is subject to. This issue is particularly severe when the XML parser is used to parse untrusted documents. For example, when user-submitted XML messages are parsed that way. === What is the potential impact? Allowing the inclusion of arbitrary files in XML documents can have two main consequences depending on what type of file is included: local or remote. ==== Sensitive file disclosure If the application allows the inclusion of arbitrary files through the use of the `xinclude` element, it might be used to disclose arbitrary files from the local file system. Depending on the application's permissions on the file system, configuration files, runtime secrets, or Personally Identifiable Information could be leaked. This is particularly true if the affected parser is used to process untrusted XML documents. ==== Server-side request forgery When used to retrieve remote files, the application will send network requests to remote hosts. Moreover, it will do so from its current network location, which can have severe consequences if the application server is located on a sensitive network, such as the company corporate network or a DMZ hosting other applications. Attackers exploiting this issue could try to access internal backend services or corporate file shares. It could allow them to access more sensitive files, bypass authentication mechanisms from frontend applications, or exploit further vulnerabilities in the local services. Note that, in some cases, the requests sent from the application can be automatically authenticated on federated locations. This is often the case in Windows environments when using Active Directory federated authentication. include::how-to-fix/java-se.adoc[] include::how-to-fix/dom4j.adoc[] include::how-to-fix/jdom2.adoc[] === How does this work? The compliant code example explicitly prevents the inclusion of files in XML documents by setting the `\http://apache.org/xml/features/xinclude` feature property to `false`. == Resources === Documentation * OWASP - https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java[OWASP XXE Prevention Cheat Sheet] * Java documentation - https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-8CD65EF5-D113-4D5C-A564-B875C8625FAC[XML External Entity Injection Attack] * W3C - https://www.w3.org/TR/xinclude-11/[XML Inclusions (XInclude) Version 1.1] === Standards * OWASP - https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[Top 10 2017 - Category A4 - XML External Entities (XXE)] * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 - Category A5 - Security Misconfiguration] * OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation[Mobile Top 10 2024 Category M4 - Insufficient Input/Output Validation] * OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration] * CWE - https://cwe.mitre.org/data/definitions/611[CWE-611 - Improper Restriction of XML External Entity Reference] * CWE - https://cwe.mitre.org/data/definitions/827[CWE-827 - Improper Control of Document Type Definition] * STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608[Application Security and Development: V-222608] - The application must not be vulnerable to XML-oriented attacks. ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) === Message Disable the inclusion of files in XML processing. ''' == Comments And Links (visible only on this page) === on 25 Jan 2022, 10:34:00 Quentin Jaquier wrote: Quick fixes (for Java): even if it is technically possible to provide a fix that would result in compliant code, it does not sound wise to set properties blindly, as it can have side effects. Fixing the issue requires a careful and good understanding of the overall context of the code. endif::env-github,rspecator-view[]