102 lines
4.8 KiB
Plaintext
102 lines
4.8 KiB
Plaintext
XML standard allows the inclusion of XML files with the `xinclude` element.
|
|
When an XML parser component is set up with the `\http://apache.org/xml/features/xinclude`
|
|
feature, it will follow the standard and allow the inclusion of remote files.
|
|
|
|
== Why is this an issue?
|
|
|
|
When the XML parser will encounter an `xinclude` element, it will try to load
|
|
the file pointed to by the `href` attribute into the document. Included files
|
|
can either be local files found on the file system of the application server,
|
|
or remote files that are downloaded over HTTP, SMB, or other protocols,
|
|
depending on the capabilities of the application and server.
|
|
|
|
The files that can be accessed that way are only limited by the entitlement of
|
|
the application on the local system and the network filtering the server is
|
|
subject to.
|
|
|
|
This issue is particularly severe when the XML parser is used to parse untrusted
|
|
documents. For example, when user-submitted XML messages are parsed that way.
|
|
|
|
=== What is the potential impact?
|
|
|
|
Allowing the inclusion of arbitrary files in XML documents can have two main
|
|
consequences depending on what type of file is included: local or remote.
|
|
|
|
==== Sensitive file disclosure
|
|
|
|
If the application allows the inclusion of arbitrary files through the use of
|
|
the `xinclude` element, it might be used to disclose arbitrary files from the
|
|
local file system. Depending on the application's permissions on the file
|
|
system, configuration files, runtime secrets, or Personally Identifiable
|
|
Information could be leaked.
|
|
|
|
This is particularly true if the affected parser is used to process untrusted
|
|
XML documents.
|
|
|
|
==== Server-side request forgery
|
|
|
|
When used to retrieve remote files, the application will send network requests
|
|
to remote hosts. Moreover, it will do so from its current network location,
|
|
which can have severe consequences if the application server is located on a
|
|
sensitive network, such as the company corporate network or a DMZ hosting other
|
|
applications.
|
|
|
|
Attackers exploiting this issue could try to access internal backend services or
|
|
corporate file shares. It could allow them to access more sensitive files,
|
|
bypass authentication mechanisms from frontend applications, or exploit further
|
|
vulnerabilities in the local services. Note that, in some cases, the requests
|
|
sent from the application can be automatically authenticated on federated
|
|
locations. This is often the case in Windows environments when using Active
|
|
Directory federated authentication.
|
|
|
|
include::how-to-fix/java-se.adoc[]
|
|
|
|
include::how-to-fix/dom4j.adoc[]
|
|
|
|
include::how-to-fix/jdom2.adoc[]
|
|
|
|
=== How does this work?
|
|
|
|
The compliant code example explicitly prevents the inclusion of files in XML
|
|
documents by setting the `\http://apache.org/xml/features/xinclude` feature
|
|
property to `false`.
|
|
|
|
== Resources
|
|
|
|
=== Documentation
|
|
|
|
* OWASP - https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java[OWASP XXE Prevention Cheat Sheet]
|
|
* Java documentation - https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-8CD65EF5-D113-4D5C-A564-B875C8625FAC[XML External Entity Injection Attack]
|
|
* W3C - https://www.w3.org/TR/xinclude-11/[XML Inclusions (XInclude) Version 1.1]
|
|
|
|
=== Standards
|
|
|
|
* OWASP - https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[Top 10 2017 - Category A4 - XML External Entities (XXE)]
|
|
* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 - Category A5 - Security Misconfiguration]
|
|
* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation[Mobile Top 10 2024 Category M4 - Insufficient Input/Output Validation]
|
|
* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration]
|
|
* CWE - https://cwe.mitre.org/data/definitions/611[CWE-611 - Improper Restriction of XML External Entity Reference]
|
|
* CWE - https://cwe.mitre.org/data/definitions/827[CWE-827 - Improper Control of Document Type Definition]
|
|
* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608[Application Security and Development: V-222608] - The application must not be vulnerable to XML-oriented attacks.
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Disable the inclusion of files in XML processing.
|
|
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 25 Jan 2022, 10:34:00 Quentin Jaquier wrote:
|
|
Quick fixes (for Java): even if it is technically possible to provide a fix that would result in compliant code, it does not sound wise to set properties blindly, as it can have side effects. Fixing the issue requires a careful and good understanding of the overall context of the code.
|
|
|
|
endif::env-github,rspecator-view[]
|