OWASP Top 10 Part 4: XML External Entities (XXE)
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> Here we are again, OWASP
00:00
Top 10 number 4: XML External Entities XXE Attacks.
00:00
In this lesson, we're going to talk about the risks
00:00
associated with these XXE attacks,
00:00
the impact of XXEs,
00:00
and the techniques to address XXE vulnerabilities.
00:00
External entities.
00:00
We've talked about APIs before.
00:00
We talked about RESTful APIs and SOAP APIs.
00:00
Well, if you may recall,
00:00
SOAP APIs rely on XML,
00:00
Extensible Markup Language to transact.
00:00
If those transactions aren't secure,
00:00
an attacker can insert
00:00
various malicious commands into the XML.
00:00
This can allow them to extract data,
00:00
execute commands, and
00:00
the impact of this can be particularly severe.
00:00
The attacker can actually
00:00
put it in certain commands that can cause
00:00
a denial-of-service attack and
00:00
cause the web application to crash.
00:00
How do you prevent this?
00:00
Well, first and foremost is training.
00:00
You want to educate developers on how
00:00
to design our APIs in a way that
00:00
the XML gets checked to prevent
00:00
the attacker from putting in
00:00
this malicious code in the first place
00:00
of the malicious commands.
00:00
Then there's also patching.
00:00
You want to ensure that
00:00
>> your XML processing libraries are
00:00
>> up-to-date and you're using
00:00
the most recent version of SOAP.
00:00
If you don't have to use XML in
00:00
the first place when designing
00:00
your application, that's also useful.
00:00
Certain formats such as JSON,
00:00
avoid this issue when it comes
00:00
to serialization of sensitive information.
00:00
There are also ways to do validation on
00:00
XML such as XSD validation.
00:00
What this does is it verifies that the XML or XSML file
00:00
uploaded functionality is validated
00:00
and that the incoming XML is valid or similar.
00:00
If you're not able to really validate the XML itself,
00:00
you can use techniques such as setting up
00:00
an API security gateway.
00:00
This sits in front of the API and analyzes
00:00
any incoming requests to the API and to
00:00
ensure that they meet specific security standards.
00:00
Quiz question. An XXE attack
00:00
can be used to do all the following except?
00:00
Denial of service, data extraction, or impersonation.
00:00
Impersonation, we talked about the use of it to
00:00
extract data and conduct denial-of-service attacks.
00:00
It may be the precursor to an impersonation attack
00:00
but if for the context of how it was discussed here,
00:00
really is going to be used to do
00:00
denial-of-service and data extraction through the API.
00:00
In summary, we talked about
00:00
>> XML External Entity Attacks,
00:00
>> also referred to as XXE.
00:00
We talked about the security impact of the exploit,
00:00
namely the exploitation of
00:00
data and a potential denial-of-service attack,
00:00
and then we talked about the methods to address it,
00:00
making sure that your versions of SOAP are up-to-date,
00:00
that your developers are trained on how to
00:00
prevent commands from being injected into the XML,
00:00
and that there are various methods such
00:00
as XSD are involved
00:00
to validate the XML that's incoming.
00:00
If you're really stuck
00:00
>> putting in an API security gateway
00:00
>> to check and validate any incoming XML.
00:00
I'll see you in the next lesson.
Up Next
Instructed By
Similar Content
