What You Didn't Know About XML External Entities Attacks

Presented at AppSec USA 2013, Nov. 20, 2013, 2 p.m. (50 minutes)

Video of session: https://www.youtube.com/watch?v=eHSNT8vWLfc&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=9 The eXtensible Markup Language (XML) is an extremely pervasive technology used in countless software projects.  Certain features built into the design of XML, namely inline schemas and document type definitions (DTDs) are a well-known source of potential security problems.  Despite being a publicly discussed for more than a decade, a significant percentage of software using XML remains vulnerable to malicious schemas and DTDs.  This talk will describe a collection of techniques for exploiting XML external entities (XXE) vulnerabilities, some of which we believe are novel.  These techniques can allow for more convenient file content theft, sending of arbitrary data to arbitrary internal TCP services, uploads of arbitrary files to known locations on a vulnerable system, as well as several possible denial of service attacks. We hope this talk will raise awareness about the overall risk associated with XXE attacks and will provide recommendations that developers and XML library implementors can use to help prevent these attacks.


  • Timothy Morgan
    Tim is credited with the discovery and responsible disclosure of several security vulnerabilities in commercial off-the-shelf and open source software including: IBM Tivoli Access Manager, Real Networks Real Player, Sun Java Runtime Environment, Google Chrome Web Browser, OpenOffice, and Oracle WebLogic Application Server. Tim develops and maintains several open source forensics tools as well as Bletchley, an application cryptanalysis tool kit. Tim presented a training course on application cryptanalysis at AppSecUSA 2012. He regularly gives technical talks on a variety of security topics to local special interest groups and at private training sessions.


Similar Presentations: