Talk:XML External Entity (XXE) Prevention Cheat Sheet

From OWASP
Jump to: navigation, search

The following code suffers from XXE despite the (prior to Sept. 2017) XMLReader recommendations in OWASP that these setFeatures would resolve it.

However, this is not true for XOM.nu (tested on version 1.2.5), a third party XML plugin. I don't know how popular it is, but it is used by Jenkins. Not implying Jenkins is vulnerable, merely that a lib it uses doesn't have proper OWASP usage recommendation.

Anyway, assuming the content of c:\test.txt is "This is TEXT inside the file C:\test.txt"

   import java.io.InputStream;
   import org.apache.commons.io.IOUtils;
   import org.dom4j.io.SAXReader;
   import org.xml.sax.XMLReader;
   import org.xml.sax.helpers.XMLReaderFactory;
   
   import nu.xom.*;
   public class helloworld {
          public static void main(String[] args) throws Exception {
                 
                 //To get this to run, the file c:\test.txt must exist and have content. alternatively, change the path in <!ENTITY xxe SYSTEM "file:///[file]" 
                 String newline = System.getProperty("line.separator");
                 String xml = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>" + newline +
                              "<!DOCTYPE bar [" + newline +
                              "<!ENTITY xxe SYSTEM \"file:///c:/test.txt\">" + newline +
                              "]>" + newline +
                              "<book>"+ newline +
                              "<author>&xxe;</author>"+ newline +
                              "<isbn>11112222333</isbn>"+ newline +
                              "<title>The Great Big Useless Book of XMLs</title>"+ newline +
                              "</book>";          // Vulnerable XOM Parser  
                 XMLReader xerces = XMLReaderFactory.createXMLReader();
                 //xerces.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
                 xerces.setFeature("http://xml.org/sax/features/external-general-entities", false);
                 xerces.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
             
   xerces.setFeature("http://apache.org/xml/features/nonvalidating/load-
   external-dtd",false);
                 Builder b = new Builder(xerces);
                 InputStream is2 = IOUtils.toInputStream(xml, "UTF-8");
                 Document d = b.build(is2);
                 System.out.println("XOM Reader: " + d.getValue());
       }
   }


Output: XOM Reader: This is TEXT inside the file C:\test.txt 11112222333 The Great Big Useless Book of XMLs


However, by uncommenting

   //xerces.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

a 'nu.xom.ParsingException' is thrown for this XML, preventing exploitation.

This leads us (Checkmarx Research Group) to believe the recommendations in OWASP for XMLReader are partial; We actually advise removing direct explicit recommendations entirely and demand devs to adhere to specific platform best practices and documentation, instead.

NOTE: This missing setting has been fixed in the cheat sheet. I (Dave Wichers) fixed it a few weeks ago before noticing this talk note. Funny how we both independently found/fixed the same thing around the same time.