OWASP Top 10 Part 4: XML External Entities (XXE)

Here we are again, OWASP Top 10 number 4: XML External Entities XXE Attacks. In this lesson, we're going to talk about the risks associated with these XXE attacks, the impact of XXEs, and the techniques to address XXE vulnerabilities. External entities.

‍

We've talked about APIs before. We talked about RESTful APIs and SOAP APIs. Well, if you may recall, SOAP APIs rely on XML, Extensible Markup Language to transact. If those transactions aren't secure, an attacker can insert various malicious commands into the XML. This can allow them to extract data, execute commands, and the impact of this can be particularly severe. The attacker can actually put it in certain commands that can cause a denial-of-service attack and cause the web application to crash. How do you prevent this? Well, first and foremost is training.

‍

You want to educate developers on how to design our APIs in a way that the XML gets checked to prevent the attacker from putting in this malicious code in the first place of the malicious commands. Then there's also patching. You want to ensure that your XML processing libraries are  up-to-date and you're using the most recent version of SOAP. If you don't have to use XML in the first place when designing your application, that's also useful. Certain formats such as JSON, avoid this issue when it comes to serialization of sensitive information. There are also ways to do validation on XML such as XSD validation. What this does is it verifies that the XML or XSML file uploaded functionality is validated and that the incoming XML is valid or similar.

‍

If you're not able to really validate the XML itself, you can use techniques such as setting up an API security gateway. This sits in front of the API and analyzes any incoming requests to the API and to ensure that they meet specific security standards. Quiz question. An XXE attack can be used to do all the following except? Denial of service, data extraction, or impersonation. Impersonation, we talked about the use of it to extract data and conduct denial-of-service attacks. It may be the precursor to an impersonation attack but if for the context of how it was discussed here, really is going to be used to do denial-of-service and data extraction through the API.

‍

In summary, we talked about XML External Entity Attacks,  also referred to as XXE. We talked about the security impact of the exploit, namely the exploitation of data and a potential denial-of-service attack, and then we talked about the methods to address it, making sure that your versions of SOAP are up-to-date, that your developers are trained on how to prevent commands from being injected into the XML, and that there are various methods such as XSD are involved to validate the XML that's incoming. If you're really stuck putting in an API security gateway  to check and validate any incoming XML. I'll see you in the next lesson.