The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. The XML parser can access the contents of this URI and embed these contents back into the XML document for further processing.

By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the contents of a local file. For example, a URI such as "file:///c:/winnt/win.ini" designates (in Windows) the file C:\Winnt\win.ini, or file:///etc/passwd designates the password file in Unix-based systems. Using URIs with other schemes such as http://, the attacker can force the application to make outgoing requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions or hide the source of attacks such as port scanning.

Once the content of the URI is read, it is fed back into the application that is processing the XML. This application may echo back the data (e.g. in an error message), thereby exposing the file contents.

Modes Of Introduction

Implementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.

Applicable Platforms

Language

Name: XML (Undetermined)

Technologies

Class: Web Based (Undetermined)

Common Consequences

Observed Examples

Potential Mitigations

Phases : Implementation // System Configuration
Many XML parsers and validators can be configured to disable external entity expansion.

Detection Methods

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness : High

Vulnerability Mapping Notes

Rationale : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comments : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Related Attack Patterns

Notes

CWE-918 (SSRF) and CWE-611 (XXE) are closely related, because they both involve web-related technologies and can launch outbound requests to unexpected destinations. However, XXE can be performed client-side, or in other contexts in which the software is not acting directly as a server, so the "Server" portion of the SSRF acronym does not necessarily apply.

References

REF-496

XML External Entity (XXE) Processing
OWASP.
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

REF-497

XML External Entity Attacks (XXE)
Sascha Herzog.
https://owasp.org/www-pdf-archive/XML_Exteral_Entity_Attack.pdf

REF-498

XXE (Xml eXternal Entity) Attack
Gregory Steuck.
https://www.beyondsecurity.com/

REF-499

XML External Entities (XXE) Attack
WASC.
http://projects.webappsec.org/w/page/13247003/XML%20External%20Entities

REF-500

XML Denial of Service Attacks and Defenses
Bryan Sullivan.
https://learn.microsoft.com/en-us/archive/msdn-magazine/2009/november/xml-denial-of-service-attacks-and-defenses

REF-501

Preventing XXE in PHP
Chris Cornutt.
https://websec.io/2012/08/27/Preventing-XXE-in-PHP.html

Submission

Modifications