Web Application XML External Entity Vulnerabilities

March 21, 2014

XML is extensively used in many web applications. Some of XML usages include:

  • Web publishing: XML allows you to create interactive pages, allows the customer to customize those pages, and makes creating e-commerce applications more intuitive. With XML, you store the data once and then render that content for different viewers or devices based on style sheet processing using an Extensible Style Language (XSL)/XSL Transformation (XSLT) processor.
  • Web searching and automating Web tasks: XML defines the type of information contained in a document, making it easier to return useful results when searching the Web:
  • Metadata applications: XML makes it easier to express metadata in a portable, reusable format.

XML has the concept of an entity: a symbolic representation of a block of information. Entities can be defined in two ways: internal and external.

Internal entities are both defined and used inside the same XML file. The declaration has the following format:

External entities exist in a location outside of the XML document where it is defined, such as a file. External entities require the SYSTEM identifier in order to be imported and used. The declaration has the following format:

References to entities consist of the entity name prefixed with an ampersand and suffixed by a semi-colon (in this case, "&anyname;"). Every time an entity reference appears in the XML, it will be replaced with the entity value when the XML is parsed.

Multiple web applications are prone to Xml eXternal Entity (XXE) vulnerabilities. The vulnerabilities are due to processing of an external entity containing tainted data. Successful exploitation may lead to disclosure of confidential information and other system impacts.

Dell SonicWALL has released an IPS signature to detect and block XML External Entity injection. The signature is listed below:

  • 3496 Multiple Web Applications XXE Injection