XML External Entities

00:00

Hey, everyone is Canada Hill Master Instructor a cyber. In this video, we're gonna talk about Web defense. So just a quick pre assessment question here. Samson Pen tester for Acne Incorporated. And by the way, that's a shout out if anyone's ever watched the The Road Runner and Tweety,

00:16

Not the Road or Twitter but Road Runner and Wile E. Coyote stuff from the cartoons growing up. I may be dating myself here, but that's a shout out to that. Anyways, Sam is a pen tester for acne Incorporated and wants to recommend ways to prevent against XXI attacks to his client. What's the following is not a recommendation to help prevent against those types of attacks?

00:38

Have you guessed answer. D allowing XML file uploads You are correct. So that's one of the things that attacker might do. They made corrupt XML files. And then if you allow that on attacker to upload the sense of files, that's where we can get this type of attack.

00:53

So xml, external entities again XXI for short, and most people just call it XXI out there. This is where we can potentially disclosed internal files. Things like an attacker could do things like port scanning. It could lead to remote code, execution or even, in some instances, denial of service attacks.

01:11

It's prevalent, it's it's common, but it's not necessarily the most common like attack method. Eso Attackers air normally use like something like, you know, injection attacks. It's somewhat challenging. T do these types of things, so it is common.

01:27

It does occur with enterprises, but it's not necessarily is common in some other things. That

01:32

or on the wall stop 10.

01:36

So how do we check for this? You know, again, if we're allowing for XML uploads directly, If we're allowing those to be accepted directly without any type of sanitation in place, then that's, you know, an avenue they could use. We could also check using static code analysis toe using static.

01:53

Ah, security testing

01:56

so fast is what it's essentially called there. If we notice that we're using older soap versions, eso basically 1.2 and below those air, the older ones we should be concerned with and then also if we have ah DTs enabled

02:09

So impact, you know, is with many things in the Old West Top 10. They could lead to data extraction could allow an attacker to scan your systems, as I mentioned for doing denial of service types of attacks or using remote code execution so the remote request would be remote. Code executions

02:27

prevention, you know, using things like Jason avoiding serialization, patching. You know, of course, people organizations, a lot of times don't patch things, and it's not always the It's not always something the organization could necessarily do right. They might be using outdated

02:44

applications that cost a lot of money. And it's not pragmatic for them, too.

02:49

Changed all the applications right off the bat. Or maybe there's some reason they can't, you know, maybe in, for example, in the critical infrastructure space. So patching can't isn't something that you know. We all talk about it, but it's not necessarily something that an organization can always implement, so they have to do other things to try to mitigate those risk.