XML External Entities

 An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server-side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.









Example:
The DtdProcessing.Parse property allows the XmlTextReader to process XML External Entities in such a way that an attacker can add the contents of files on the server to his XML data. Also, well-formed XML can cause XmlTextReader to add information from the Internet that was not originally intended.


It is recommended to avoid DTD processing. In order to achieve this in XmlTextReader, the DtdProcessing property has to be set to Ignore.



Example 2:
XML deserialization is performed with both allowed document type definition and URL resolving. An adversary can forge request data to obtain sensitive server data.


Both document type definition and URL resolving have to be disallowed if unknown XML structs are deserialized. So, DTD commands are ignored, and no XML resolver is used. In this case, only data transmission will be available, and an adversary won't be able to steal sensitive server data.
























Comments

Post a Comment

Popular posts from this blog

Scalability and high availability

 Scalability and high availability are critical principles in designing modern software architectures, particularly in distributed systems and cloud-based applications. Understanding these concepts helps ensure that applications can handle increasing loads and remain operational with minimal downtime. Below is a detailed explanation of both principles. Scalability Scalability refers to the ability of a system to handle increased loads without sacrificing performance or availability. It involves adding resources to a system to accommodate growing user demands, data volumes, or transaction rates. There are two primary types of scalability: 1. Vertical Scalability (Scale-Up) Definition : This involves adding more resources (CPU, memory, storage) to an existing server or node. Use Case : Ideal for applications that are not designed for distributed environments or require high levels of computational power. For example, upgrading a database server with more RAM to handle more queries. ...
Read more

Microservices and Service-Oriented Architecture

  Microservices Architecture and Service-Oriented Architecture (SOA) , along with their similarities, differences, and typical use cases. Microservices Architecture Microservices is an architectural style where applications are composed of small, independent services that communicate over a network. Each service is typically designed around a specific business function and operates as an isolated, self-contained unit. Here are some key characteristics: Independently Deployable : Each service can be developed, deployed, and scaled independently of others. Single Responsibility : Services are organized around business capabilities, such as “Order Processing” or “User Authentication.” Resilience : Each microservice operates independently, making the system more resilient since failures in one service do not necessarily impact others. Polyglot Persistence and Programming : Microservices allow for diverse technologies, frameworks, and databases across services, optimizing each service...
Read more

Version control and Continuous Integration/Continuous Deployment (CI/CD)

 Version control and Continuous Integration/Continuous Deployment (CI/CD) are fundamental practices in modern software development that enhance collaboration, maintainability, and quality of software projects. Below, we’ll explore each concept, including their principles, benefits, and key practices. Version Control Version Control is a system that records changes to files or sets of files over time, allowing developers to track and manage changes to their codebase. It facilitates collaboration among team members and provides a history of changes, making it easier to revert to previous versions if needed. Key Principles of Version Control Track Changes : Every change made to the codebase is recorded, allowing developers to see who made changes, what changes were made, and when. Branching and Merging : Developers can create branches to work on features or fixes in isolation without affecting the main codebase (usually referred to as the main or master branch). Once the work is co...
Read more