Web Application XML External Entity Vulnerabilities (Mar 21,2014)


XML is extensively used in many web applications. Some of XML usages include:

  • Web publishing: XML allows you to create interactive pages, allows the customer to customize those pages, and makes creating e-commerce applications more intuitive. With XML, you store the data once and then render that content for different viewers or devices based on style sheet processing using an Extensible Style Language (XSL)/XSL Transformation (XSLT) processor.
  • Web searching and automating Web tasks: XML defines the type of information contained in a document, making it easier to return useful results when searching the Web:
  • Metadata applications: XML makes it easier to express metadata in a portable, reusable format.

XML has the concept of an entity: a symbolic representation of a block of information. Entities can be defined in two ways: internal and external.

Internal entities are both defined and used inside the same XML file. The declaration has the following format:

External entities exist in a location outside of the XML document where it is defined, such as a file. External entities require the SYSTEM identifier in order to be imported and used. The declaration has the following format:

References to entities consist of the entity name prefixed with an ampersand and suffixed by a semi-colon (in this case, “&anyname;“). Every time an entity reference appears in the XML, it will be replaced with the entity value when the XML is parsed.

Multiple web applications are prone to Xml eXternal Entity (XXE) vulnerabilities. The vulnerabilities are due to processing of an external entity containing tainted data. Successful exploitation may lead to disclosure of confidential information and other system impacts.

Dell SonicWALL has released an IPS signature to detect and block XML External Entity injection. The signature is listed below:

  • 3496 Multiple Web Applications XXE Injection
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.