SG0007.htm

<!DOCTYPE html>
<html lang="en">
<head>
  <title>XML parsing vulnerable to XXE - Roslyn Security Guard</title>
  <meta charset="utf-8">

  <link href="css/bootstrap.min.css" media="screen" rel="stylesheet">
  <link href="css/bootstrap-theme.min.css" media="screen" rel="stylesheet">
  <link href="//fonts.googleapis.com/css?family=Ubuntu:400,500,700,400italic" rel="stylesheet" type="text/css">
  <link href="css/font-awesome.min.css" media="screen" rel="stylesheet">
  <!-- Custom styles -->
  <link href="css/styles.css" media="screen" rel="stylesheet">

  <!-- Mobile support -->
  <meta content="width=device-width, initial-scale=1" name="viewport">

  <meta property="og:locale" content="en_US" />
  <meta property="og:type" content="website" />
  <meta property="og:title" content="Roslyn Security Guard" />
  <meta property="og:description" content="Security Guard is a set of Roslyn analyzers that aim to help security audits on .NET applications." />
  <meta property="og:site_name" content="Roslyn Security Guard" />
  <meta name="twitter:card" content="summary" />
  <meta name="twitter:description" content="Security Guard is a set of Roslyn analyzers that aim to help security audits on .NET applications." />
  <meta name="twitter:title" content="Roslyn Security Guard" />

  <meta name="keywords" content="security,owasp,csharp,c#,vb,.net,dotnet,asp.net,mvc,scanner,vulnerability,injection" />

  <!-- IE 6-8 support of HTML 5 elements -->
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <!--[if lt IE 9]>
  <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
  <![endif]-->
</head>
<body>

<a id="skippy" class="sr-only sr-only-focusable" href="#content"><div class="container"><span class="skiplink-text">Skip to main content</span></div></a>

<header class="navbar navbar-default navbar-fixed-top" id="top" role="banner">
  <div class="container">
    <div class="navbar-header">
      <button class="navbar-toggle collapsed" type="button" data-toggle="collapse" data-target="#vertx-navbar-collapse">
        <span class="sr-only">Toggle navigation</span>
        <span class="icon-bar"></span>
        <span class="icon-bar"></span>
        <span class="icon-bar"></span>
      </button>

      <a href="/" class="navbar-brand"><img alt="Security Guard Logo" src="images/logo-small.png"></a>

    </div>
    <nav class="collapse navbar-collapse" id="vertx-navbar-collapse">
      <ul class="nav navbar-nav navbar-right">
        <li><a href="index.htm">Download</a></li>
        <li><a href="#comingsoon">Tutorial</a></li>
        <li><a href="rules.htm">Rules</a></li>
      </ul>
    </nav>
  </div>
</header>
<div class="index-header jumbotron jumbotron-ad hidden-print">
    <div class="container">
        <h2>XML parsing vulnerable to XXE</h2>
        <a href="/rules.htm" class="btn-info btn-sm" role="button">Back to rules list</a>
    </div>
</div>

<section id="rule" class="rule-single">
    <div class="container highlight highlight-left">


  
<p>
    The XML parser is configured incorrectly. The operation could be vulnerable to XML eXternal Entity (XXE) processing.
</p>

<h3>Risk</h3>

<p>
    
</p>

<h3>Vulnerable Code</h3>

<pre>
XmlReaderSettings settings = new XmlReaderSettings();
settings.ProhibitDtd = false;
XmlReader reader = XmlReader.Create(inputXml, settings);
</pre>

<pre>
XmlReaderSettings settings = new XmlReaderSettings();
settings.DtdProcessing = DtdProcessing.Parse;
XmlReader reader = XmlReader.Create(inputXml, settings);
</pre>

<h3>Solution</h3>

<pre>
//Avoid overriding the secure settings
XmlReader reader = XmlReader.Create(inputXml);
</pre>

<pre>
XmlReaderSettings settings = new XmlReaderSettings();
settings.ProhibitDtd = true;
XmlReader reader = XmlReader.Create(inputXml, settings);
</pre>

<pre>
XmlReaderSettings settings = new XmlReaderSettings();
settings.DtdProcessing = DtdProcessing.Ignore;
XmlReader reader = XmlReader.Create(inputXml, settings);
</pre>

<h3>References</h3>

<p>
    <a href="http://cwe.mitre.org/data/definitions/611.html">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a><br />
    <a href="https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=61702260">CERT: IDS10-J. Prevent XML external entity attacks</a><br />
    <a href="https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing">OWASP.org: XML External Entity (XXE) Processing</a><br />
    <a href="http://www.ws-attacks.org/index.php/XML_Entity_Expansion">WS-Attacks.org: XML Entity Expansion</a><br />
    <a href="http://www.ws-attacks.org/index.php/XML_External_Entity_DOS">WS-Attacks.org: XML External Entity DOS</a><br />
    <a href="http://www.ws-attacks.org/index.php/XML_Entity_Reference_Attack">WS-Attacks.org: XML Entity Reference Attack</a><br />
    <a href="http://blog.h3xstream.com/2014/06/identifying-xml-external-entity.html">Identifying Xml eXternal Entity vulnerability (XXE)</a>
</p>

    </div>
</section>

<br/><br/>
<footer>
<div class="highlight-gray">
  <div class="container footer text-center">
        <p>.NET Security Guard is open source licensed under the <a href="https://www.gnu.org/licenses/lgpl-3.0.en.html">GNU Lesser General Public License 3.0 (LGPL)</a>.</p>
  </div>
</div>
</footer>

<script src="//ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
<script src="js/bootstrap.min.js"></script>
<!-- Google Analytics -->
<script>
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
  })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');

  ga('create', 'UA-90570539-1', 'auto');
  ga('send', 'pageview');

</script>

</body>
</html>