Attack description

The XML standard allows the use of DTDs (Document Type Definitions)[1]. DTDs are meant to define the legal building blocks of an XML document. One feature of DTDs are the ability to define entities. Entities are variables used to define shortcuts to strings or special characters. Typical examples of predefined entities are the entities used within HTML. When wanting to use the "<" or ">" charcter outside of HTML Tags they have to be replaced by their entities:

• the character ">" has the entity "&gt;"
• the character "<" has the entity "&lt;"

Entities that are not predefined can be declared internal or external.

• internal declaration - the entity is defined within the same document.
• external declaration - the entity is defined in an external document. Only the reference to the external document is given.

When included in a SOAP message, external entities can be used to cause denial of service scenarios by retrieving malicious external content during the parsing process.

NOTE: Since SOAP Version 1.2 [2] external entities are not allowed within SOAP messages any more. However many web services don't implement the standard correctly, that is why they are still vulnerable to this attack. See [3] for more details: "The XML infoset of a SOAP message MUST NOT contain a document type declaration information item."

NOTE: XML External Entity DOS attacks are a different form ofXML Entity Expansion attacks. XML Entity Expansion attacks aim at creating large documents using DTDs that exhaust the resources of the web service. However XML External Entity DOS attacks aim at exhausting the resources of the attacked web service by "just" retrieving malicious external files.

Attack subtypes

There are no attack subtypes for this attack.

Prerequisites for attack

In order for this attack to work the attacker has to have knowledge about the following things:

1. Attacker knows endpoint of web service. otherwise he is not able to reach the web service.
2. Attacker can reach endpoint from its location. Access to the attacked web service is required. If the web service is only available to users within a certain network of a company, the attack is limited.

Graphical representation of attack

• Red = attacked web service component
  
• Black = location of attacker
  
• Blue = web service component not directly involved in attack.
  

Attack example

We take a modified example taken OWASP Guide "Testing for XML injection" [4]

<?xml version="1.0"?>
<!DOCTYPE order [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///dev/random" >
]>
<soap:Envelope xmlns:soap="http://www.w3.org/2001/12/soap-envelope" soap:encodingStyle="http://www.w3.org/2001/12/soap-encoding">
  <soap:Body xmlns:m="http://www.example.org/order">
     <foo>&xxe;</foo>
  </soap:Body>
</soap:Envelope>

Listing 1: Valid SOAP message

Attack mitigation / countermeasures

If you are sure that your web service framework implements the SOAP 1.2 standard correctly you are not vulnerable to any of these attacks. In case you are not sure, the easiest and most forward way is to manually check prior to parsing whether or not an opening DTD Tag is existent. If that is the case just discard the message.

Attack categorisation

Categorisation by violated security objective

The attack aims at exhausting the system resources, therefore it violates the security objective Availability.

• Category:Attack_Categorisation_By_Violated_Security_Objective_Availability
• Category:Attack_Categorisation_By_Violated_Security_Objective

Categorisation by number of involved parties

• Category:Attack_Categorisation_By_Number_Of_Involved_Parties:1_-_0_-_1
• Category:Attack_Categorisation_By_Number_Of_Involved_Parties

Categorisation by attacked component in web service architecture

• Category:Attack_Categorisation_By_Attacked_Web_Service_Component:_XML_Parser
• Category:Attack_Categorisation_By_Attacked_Web_Service_Component

Categorisation by attack spreading

• Category:Attack_Categorisation_By_Attack_Spreading
• Category:Attack_Categorisation_By_Attack_Spreading:Application_Specific_Flaws

References

1. Nishchal Bhalla and Sahba Kazerooni.Web services vulnerabilities.http://www.blackhat.com/presentations/bh-europe-07/Bhalla-Kazerooni/Whitepaper/bh-eu-07-bhalla-WP.pdf, February 2007. Accessed 01 July 2010.
2. OWASP Foundation. Testing for xml injection. http://www.owasp.org/index.php/Testing_for_XML_Injection_%28OWASP-DV-008%29, January 2010. Accessed 01 July 2010.