How to Mitigate XXE Vulnerabilities in Python
Want to learn more about the XML External Entity (XXE)? Check out this post to learn more about how to mitigate XXE vulnerabilities in Python.
Join the DZone community and get the full member experience.Join For Free
XML External Entity Injection is often referred to as a variant of Server-side Request Forgery (SSRF). XXE leverages language parsers parse the widely used data format, XML, used in a number of common scenarios, such as SOAP and REST web services and file formats, such as PDF, DOCX, HTML.
The main issue lies in XML parsers and how, by default, they handle outbound network calls as well as other XML-specific features, which we will get into later. For a broader and more in-depth explanation of XXE, I would highly recommend going over our 2-part series first.
Python XML Libraries
In the Python ecosystem (2.X & 3.X), most — if not all — XML parsing is handled by the standard libraries:
And, in some cases, even
beautifulsoup, since as we said HTML is a subset of XML, we can parse XML using it. The good news is that
etree are not vulnerable to XXE by default. As a result, we’ll focus on
pulldom as it’s tightly knit to
The following example leverages the
pulldom module as well as
bottle to create a very minimal web service. It has a single endpoint, POST
/pulldom that receives the request body as XML, parses it, and returns it back.
import bottle from xml.dom.pulldom import START_ELEMENT, parse @bottle.post('/pulldom') def pulldom(): doc = parse(bottle.request.body) for event, node in doc: doc.expandNode(node) return(str(doc)) if __name__ == '__main__': bottle.run(host='0.0.0.0', port=5050)
The scanner can detect this by leveraging our AcuMonitor service by transmitting and receiving the following request and response during the scan:
POST http://localhost:5050/lxmlnet HTTP/1.1 Content-type: text/xml Host: localhost:5050 <!ENTITY dteyybzent SYSTEM "http://hitWP5ElLuA1m.bxss.me/"> ]> &dteyybzent;
In bold, you can see the
!ENTITY expansion pointing to a remote URL, which, in this case, routes to the AcuMonitor (under
HTTP/1.0 500 Internal Server Error Server: WSGIServer/0.1 Python/2.7.14 ... <body> <h1>Error: 500 Internal Server Error</h1> <p>Sorry, the requested URL <tt>'http://localhost:5050/lxmlnet'</tt> caused an error:</p> <pre>Internal Server Error</pre> </body> ...
The above is an HTTP Response truncated for clarity.
The server tried processing the payload internally and sent the request, which raised a
SAXParseException: http://hituxSWuqFxmy.bxss.me/:2:0: error in processing external entity reference
With security, the first question when receiving an input is along the lines of, “where is this data source coming from?” Given that the two most popular libraries,
etree, are safe from XXE attacks (though vulnerable to others), you are generally good to go from the standard library.
The alternative libraries,
sax, are, by design, required to pull XML from remote locations, which means that you should avoid using them for handling untrusted user XMLs in any form. Should you still opt to use the aforementioned libraries, you should wrap them with your own safe implementation that sanitizes input prior to processing it.
Published at DZone with permission of Juxhin Dyrmishi Brigjaj, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.