XXE

An XML External Entity (XXE) attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, and other unwanted consequences.

tCell's App Firewall monitors for XXE attack attempts and can be used to block the attackers. tCell also notifies the designated people in an organization of the XXE event and provides them the necessary details to quickly address the vulnerability.

What is it?

An XXE attack occurs when a malicious actor uploads XML fragments containing references to external entities. The server must be configured to accept and parse XML, and must allow Document Type Definitions (DTDs) in uploaded XML documents. Malicious actors can declare entities in these DTDs that attempt to access or modify sensitive resources. For example, the XXE payload attempts to expose the file /etc/passwd. Once the server accepts this input, subsequent fetches of the <foo> entity may expose user data.

XXE Example
1
<?xml version="1.0" encoding="ISO-8859-1"?>
2
<!DOCTYPE foo [
3
<!ELEMENT foo ANY >
4
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>

The security best practice to avoid being vulnerable to XXE is to disallow DTDs in all XML inputs.

How do malicious actors find vulnerabilities?

Most commonly, a malicious actor would use an application security scanner to scan an application for XXE vulnerabilities. The attacker may then perform additional manual exploration based on the scanner's results and custom build XXE payloads based on the vulnerable application's endpoint configuration.

How tCell prevents XXE attacks

tCell protects against XXE attacks through a multi-step process.

  1. The tCell agent checks for Content-Type header value matches against valid XML MIME types.
  2. For each matching request, the tCell agent evaluates a set of configured regular expressions against the request body. tCell provides a default regex that will match all XXE attacks, but users can configure additional regexes or make the default more specific.
  3. Based on the App Firewall policy, tCell will report or block suspicious XXE requests. Users can view XXE data in the App Firewall Monitoring Events view and the App Firewall dashboard.

tCell also protects against XML-based attacks that are not technically XXE. The default XXE regex will protect against malicious payloads exploiting internal XML entities as well. The Billion Laughs attack is a classic example of this type of attack.