Blog

OWASP #4 XML EXTERNAL ENTITIES (XXE)

2021-08-09 | By Jason Lu

The safest way to prevent XXE is to always disable External Entities completely. Disabling these also makes the parser secure against denial of services (DOS) attacks such as Billion Laughs CVE-2019-5442 which is specifically aimed at parsers of XML documents.

In October 2019, the Kubernetes API server GitHub repository by StackRox was discovered to have a security issue through its deployment of YAML that makes it vulnerable to the billion laughs attack for DoS. StackRox themselves stated, “The issue once again serves as a reminder that, like all software, Kubernetes is vulnerable to zero-day exploits”.

 

EXAMPLE OF AN ATTACK

This Java example uses the XMLReader library which directly parses this XML file with underlying XML libraries. During this operation, the external entity will be resolved and retrieved i.e. the common.xml, which could be a shared XML file for multiple users of the system and may be controlled by some external user of the system. If a malicious user meticulously crafts some content in that file, it would cause the downstream system to have its configurations endangered.

Previous OWASP article: OWASP #3 Broken Authentification

 

Click here to learn more about the OWASP Top Ten, and how Xcalscan can help you identify and resolve them.

 

You might be interested in

OWASP #5 Broken Access Control

2021-10-19 | By Jason Lu

In the OWASP Top Ten list, the number 5 vulnerability is Broken Access Control. This is concerned with how web applications grant systems access to...

read the story

Empowering Customers the Xcalibyte Way – An Interview with Gavin Bu

2021-10-14 | By Gavin Bu

From smart-locks at homes to self-driving vehicles on the road, new technologies such as artificial intelligence, blockchain, and 5G continue to promote the...

read the story

By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy