The defect-week session of the fourth term: XML external entity injection-vulnerability warning-the black bar safety net

Code audit is the use of static analysis to discover the source code of the security flaws of the method can aid in the development or testing personnel in a software on-line prior to a more comprehensive understanding of its security concerns, preventive measures, and therefore has always been the academic and industry research hotspot, and has become security development lifecycle SDL and DevSecOps and other security system of important technical means.
360 Code Defender teams based on independent research and development of the first domestic sourcesecurity testingcommercially available tools, as well as more than ten years vulnerability technology research and accumulation, launched the“defect periphery”series of columns. A week for the CWE AND OWASP and other standards in a class of defects, with examples and tools to use in detail, intended for the majority of development and security personnel code audit of the basic standardized tutorial.
A, XML external entity injection
XML external entity injection vulnerability that is, we often say that the XXE vulnerability. XML as a more widely used data transfer format, many applications which includes processing of xml data the code, by default, many outdated or improperly configured XML processor are external entity references.
If an attacker can upload an XML document or in an XML document to add the malicious content through the vulnerable code, dependencies, or integrated, it is possible to attack contains a defect of the XML processor. XXE vulnerability to the emergence and development of language-independent, as long as the application for xml data parsing, and these data in turn controlled by the user, then the application may be susceptible to XXE attacks. The present article in the java program as an example to introduce the XXE vulnerability of Genesis and repair. XXE vulnerability in detail, please see CWE-611: Improper Restriction of XML External Entity Reference (‘XXE’)(http://cwe.mitre.org/data/definitions/611.html a).
Second, XML external entity injection
XXE vulnerabilities could be used to extract data, perform remote server requests, the scanning of the internal systems, perform a denial of service attack and other attacks. The business impact depends primarily on the affected application and data protection needs.
The 2018 date, CVE CCP have released a 92 vulnerability information related thereto. Part of the CVE is as follows:
CVE-2018-8027
Apache Camel 2.20.0 to 2.20.3 and 2. 21. 0 Core in XSD validation processor in the presence of the XXE vulnerability.
CVE-2018-13439
WeChat Pay Java SDK WXPayUtil class in the presence of the XXE vulnerability.
CVE-2018-1000548
The version number is less than the 14.3 of Umlet, in the file parsing in the presence of the XML external entity injection vulnerability could lead to confidential data leaks, denial of Service, Server Side Request Forgery. This attack can be through a special UXF file to attack.
CVE-2018-1364
IBM Content Bavigator 2.0 and 3.0 versions in processing XML data, is vulnerable to XML external entity XXE attack it. A remote attacker could use this vulnerability to expose sensitive information or take up memory resources.
Third, the sample code
3.1 defect code
This section uses the sample code sources for a open source paid Java SDK (https://pay.weixin.qq.com/wiki/doc/api/jsapi.php?chapter=11_1), the source file name: WXPayUtil.java the file path is: java-sdk-v3\src\main\java\com\github\wxpay\sdk.
! [](/Article/UploadPic/2018-10/20181011175943881. jpg? www. myhack58. com)
In the above code you can see in the 25 rows of the data by xmlToMap parameters passed, the data does not do any filtering, and the XML processor has not done the security settings in the 32 rows of data to do the parsing, and the actual scene, the parameter strXML is also controlled by the attacker, so an attacker by constructing a malicious strXML to perform the XXE attack.
Use 360 code guardian of the above sample code is detected, in file, line 32 detected“risky XML external entity injection”defects. As shown in Figure 1:
! [](/Article/UploadPic/2018-10/20181011175943470. jpg? www. myhack58. com)
Figure 1 detects the risk of the XML external entity injection
3.2 fix the code
! [](/Article/UploadPic/2018-10/20181011175943779. jpg? www. myhack58. com)
! [](/Article/UploadPic/2018-10/20181011175943798. png? www. myhack58. com)
In the above fix the code in the first 28 exercise with is a xml utility class WXPayXmlUtil for generating a secure xml processor. And WXPayXmlUtil class, the most critical is the line 16, through the setFeature allows the generation of the xml processor completely disabled DTDS in. By Figure 2 it can be seen, the 360 code guards to fix the code and not detected defects.
! [](/Article/UploadPic/2018-10/20181011175943623. jpg? www. myhack58. com)
Figure 2 XXE vulnerability fix example
Fourth, how to avoid XXE vulnerability
Common avoid method:
1. As much as possible to use simple data format such as JSON, to avoid sensitive data to be serialized;
2. Timely repair or update the application or underlyingoperating systemused by all XML processors and libraries. At the same time, by dependency detection, the SOAP update to 1. 2 version or higher version;
3. In the application all the XML parser is disabled XML external entities and DTD process, the specific implementation can refer to the OWASP Cheat Sheet ‘XXE Prevention’of(https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet)
The following code is a java application using DocumentBuilderFactory to parse the xml against the XXE vulnerability example:
! [](/Article/UploadPic/2018-10/20181011175943466. jpg? www. myhack58. com)
4. Input check: on the server side using the White list for input validation and filtering to prevent XML Document, title, or nodes that appear in malicious data.
5. To validate the XML and XSL file upload function whether to use XSD validation or other similar authentication method to verify the upload of the XML file
6. DAST tools require additional manual step to the inspection and use of the XXE vulnerability, and using the ASAT tool by detecting dependencies and security configuration to discover the XXE vulnerability.