CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.8)  

Presentation Filter:

CWE-611: Improper Restriction of XML External Entity Reference ('XXE')

 
Improper Restriction of XML External Entity Reference ('XXE')
Weakness ID: 611 (Weakness Variant)Status: Draft
+ Description

Description Summary

The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Extended Description

XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. The XML parser can access the contents of this URI and embed these contents back into the XML document for further processing.

By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the contents of a local file. For example, a URI such as "file:///c:/winnt/win.ini" designates (in Windows) the file C:\Winnt\win.ini, or file:///etc/passwd designates the password file in Unix-based systems. Using URIs with other schemes such as http://, the attacker can force the application to make outgoing requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions or hide the source of attacks such as port scanning.

Once the content of the URI is read, it is fed back into the application that is processing the XML. This application may echo back the data (e.g. in an error message), thereby exposing the file contents.

+ Alternate Terms
XXE:

XXE is an acronym used for the term "XML eXternal Entities"

+ Time of Introduction
  • Implementation
+ Applicable Platforms

Languages

XML

Architectural Paradigms

Web-based

+ Common Consequences
ScopeEffect
Confidentiality

Technical Impact: Read application data; Read files or directories

If the attacker is able to include a crafted DTD and a default entity resolver is enabled, the attacker may be able to access arbitrary files on the system.

Integrity

Technical Impact: Bypass protection mechanism

The DTD may include arbitrary HTTP requests that the server may execute. This could lead to other attacks leveraging the server's trust relationship with other entities.

Availability

Technical Impact: DoS: resource consumption (CPU); DoS: resource consumption (memory)

The software could consume excessive CPU cycles or memory using a URI that points to a large file, or a device that always returns data such as /dev/random. Alternately, the URI could reference a file that contains many nested or recursive entity references to further slow down parsing.

+ Observed Examples
ReferenceDescription
A browser control can allow remote attackers to determine the existence of files via Javascript containing XML script.
XXE during SVG image conversion
XXE in PHP application allows reading the application's configuration file.
XXE in database server
XXE in rapid web application development framework allows reading arbitrary files.
XXE via XML-RPC request.
XXE in office document product using RDF.
XXE in web-based administration tool for database.
XXE in product that performs large-scale data analysis.
XXE in XSL stylesheet functionality in a common library used by some web browsers.
+ Potential Mitigations

Phases: Implementation; System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory442Web Problems
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class610Externally Controlled Reference to a Resource in Another Sphere
Research Concepts (primary)1000
ChildOfCategoryCategory990SFP Secondary Cluster: Tainted Input to Command
Software Fault Pattern (SFP) Clusters (primary)888
PeerOfWeakness ClassWeakness Class441Unintended Proxy or Intermediary ('Confused Deputy')
Research Concepts1000
+ Relationship Notes

CWE-918 (SSRF) and CWE-611 (XXE) are closely related, because they both involve web-related technologies and can launch outbound requests to unexpected destinations. However, XXE can be performed client-side, or in other contexts in which the software is not acting directly as a server, so the "Server" portion of the SSRF acronym does not necessarily apply.

+ Relevant Properties
  • Accessibility
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
WASC43XML External Entities
Software Fault PatternsSFP24Tainted input to command
+ References
OWASP. "XML External Entity (XXE) Processing". <https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing>.
Sascha Herzog. "XML External Entity Attacks (XXE)". 2010-10-20. <https://www.owasp.org/images/5/5d/XML_Exteral_Entity_Attack.pdf>.
Gregory Steuck. "XXE (Xml eXternal Entity) Attack". <http://www.securiteam.com/securitynews/6D0100A5PU.html>.
Bryan Sullivan. "XML Denial of Service Attacks and Defenses". September, 2009. <http://msdn.microsoft.com/en-us/magazine/ee335713.aspx>.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
Anonymous Tool Vendor (under NDA)Externally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Description, Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings
2010-02-16CWE Content TeamMITREInternal
updated Taxonomy_Mappings
2010-09-27CWE Content TeamMITREInternal
updated Background_Details, Other_Notes
2011-03-29CWE Content TeamMITREInternal
updated Name
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Relationships
2013-02-21CWE Content TeamMITREInternal
updated Alternate_Terms, Applicable_Platforms, Background_Details, Common_Consequences, Description, Name, Observed_Examples, Potential_Mitigations, References, Relationship_Notes, Relationships, Taxonomy_Mappings
2014-07-30CWE Content TeamMITREInternal
updated Relationships, Taxonomy_Mappings
Previous Entry Names
Change DatePrevious Entry Name
2011-03-29Information Leak Through XML External Entity File Disclosure
2013-02-21Information Exposure Through XML External Entity Reference
Page Last Updated: July 30, 2014