DEV Community

Cdebrincat for ShiftLeft

Posted on • Originally published at blog.shiftleft.io on

CWE-611

Improper Restriction of XML External Entity Reference

CWE-611 refers to vulnerabilities that arise when an application processes an XML document that contains entities referring to external URIs. These URIs resolve to assets outside the control of the application, resulting in the potentially unsafe execution of actions dictated by the outside assets.

Why improper restriction of XML external entity references are problematic

The improper restriction of XML external entity reference can allow malicious parties to interfere with the application’s processing of XML data, impacting the application’s logic, performing unauthorized actions, and accessing sensitive data.

How XML-related vulnerabilities occur

XML is used to store and transport data using a tree-like structure of tags and data. XML documents can contain a document type definition (DTD) whose declarations define the structure of the XML document, the data values permissions, and so on. The DTD can be placed within the document itself, or it can refer to an external version. Within DTDs, you can declare “XML entities”, which are used to refer to values in the document, just like variables in programming languages.

There is a special type of XML entities called “external entities”. They are used to access local or remote content with a URL. When the application accepts user input that is included in an XML document or parsed as an XML document, a malicious party can provide malicious XML external entity definitions that point to unintended destinations, such as the URI of sensitive files on the system. The XML parser would then parse and return the sensitive file to the malicious actor.

Mitigating XML external entity references-related vulnerabilities

XML-related vulnerabilities typically result from improper software architecture. As such, the key practice for mitigating and remediating XML-related vulnerabilities is to validate and sanitize any user input that you might use in an XML document.

Additionally, it’s possible to block key XML metacharacters or escape key metacharacters (such as < or > with < and >).

TL;DR

  • CWE-611 issues typically result from software architecture decisions that allow users to provide input that’s then used by the application.
  • The key protective measure is to sanitize or escape all user input used in XML, though escaping or blocking key XML metacharacters is also protective.

Top comments (0)