What is it?• XML 1.0 specification allows for “Entity Declaration”
• This allows XML documents to be more dynamic
• Here are a couple examples
Who is affected?• Lots of apps use XML
• Lots of formats rely on XML
• Lots of configuration files for apps use XML
• Lots of protocols rely on XML
• Some use it without even knowing it
Who cares?• Attacker and defenders should care because…
this is also a valid XXE Declaration:
• …aaaaaand so is this!
What can you exploit? • Denial of service
• File enumeration
• Network enumeration
• Port scanning
• Directory listing
• File exfiltration
…sometimes WITHOUT AUTH
How do you stop it?• Coders that know about XXE don’t reflect XML back
• But that didn’t work well • Because error messages
• Because response timing differences
• Because Timur Yunusov & Alexey Osipov Out-of-Band XXE attack
How do you stop it? Take two• A lot of parser libraries added the option to disable XXE
• But that didn’t work well • Because many coders don’t realize this is an attack vector
How do you stop it? Take three• A lot of parser libraries disable XXE by default
• Actually works pretty well• …provided your libraries are up to date.
• …no dumb ass developers enabled ittt
Summary• XML is all over the place
• XXE is really bad
• If defending, make sure you are not vulnerable
• If attacking, make sure you test for XXE, cause it’s really SWEET if you find it