WEBVTT 00:00:00.000 --> 00:00:06.900 align:middle line:90% 00:00:06.900 --> 00:00:10.020 align:middle line:84% Welcome to the third and last part of XML External Entities 00:00:10.020 --> 00:00:11.100 align:middle line:90% session. 00:00:11.100 --> 00:00:14.460 align:middle line:84% In this part, we will discuss XML external entities flaws 00:00:14.460 --> 00:00:15.750 align:middle line:90% mitigation. 00:00:15.750 --> 00:00:17.280 align:middle line:84% We will start discussing what makes 00:00:17.280 --> 00:00:18.960 align:middle line:84% an application vulnerable, and then we 00:00:18.960 --> 00:00:21.930 align:middle line:84% will hunt OWASP Juice Shop vulnerable source code. 00:00:21.930 --> 00:00:24.240 align:middle line:84% Before closing the session, we will discuss how 00:00:24.240 --> 00:00:26.400 align:middle line:90% to avoid such vulnerabilities. 00:00:26.400 --> 00:00:30.220 align:middle line:84% If an application accepts XML directly, allows XML file 00:00:30.220 --> 00:00:32.790 align:middle line:84% uploads, or arbitrary input data to be inserted 00:00:32.790 --> 00:00:37.050 align:middle line:84% into XML templates later parsed by an XML processor, 00:00:37.050 --> 00:00:39.640 align:middle line:90% then it might be vulnerable. 00:00:39.640 --> 00:00:42.060 align:middle line:84% If any of the XML processors in the application, 00:00:42.060 --> 00:00:46.470 align:middle line:84% or other integrated services, is outdated or has DTD, Document 00:00:46.470 --> 00:00:49.140 align:middle line:84% Type Definition, enabled, then the application 00:00:49.140 --> 00:00:51.030 align:middle line:90% may be vulnerable or at risk. 00:00:51.030 --> 00:00:54.300 align:middle line:84% Security assertion markup language uses XML. 00:00:54.300 --> 00:00:56.220 align:middle line:84% If you're using it for single signon, 00:00:56.220 --> 00:00:58.320 align:middle line:84% then your application may be vulnerable. 00:00:58.320 --> 00:01:01.710 align:middle line:84% SOAP prior to version 1.2, when XML entities 00:01:01.710 --> 00:01:03.210 align:middle line:84% are passed to the SOAP framework, 00:01:03.210 --> 00:01:06.260 align:middle line:90% are likely vulnerable to XXE. 00:01:06.260 --> 00:01:09.640 align:middle line:84% Let's have a look at the source code. 00:01:09.640 --> 00:01:12.490 align:middle line:84% From project page, we can jump directly to the GitHub repo 00:01:12.490 --> 00:01:14.320 align:middle line:90% and find the file upload route. 00:01:14.320 --> 00:01:47.380 align:middle line:90% 00:01:47.380 --> 00:01:49.855 align:middle line:84% This is a function that handles the XML upload. 00:01:49.855 --> 00:02:05.640 align:middle line:90% 00:02:05.640 --> 00:02:09.524 align:middle line:84% XMLdoc is the result of calling parse XML function passing 00:02:09.524 --> 00:02:10.649 align:middle line:90% in the Upload File content. 00:02:10.649 --> 00:02:14.230 align:middle line:90% 00:02:14.230 --> 00:02:16.360 align:middle line:84% Several options are passed to the function, 00:02:16.360 --> 00:02:20.640 align:middle line:84% noent is the most suggestive one. 00:02:20.640 --> 00:02:23.790 align:middle line:84% Let's find package documentation and see what this option does. 00:02:23.790 --> 00:02:34.370 align:middle line:90% 00:02:34.370 --> 00:02:38.390 align:middle line:84% The XML processor is part of the libxmljs2 package. 00:02:38.390 --> 00:03:20.150 align:middle line:90% 00:03:20.150 --> 00:03:22.040 align:middle line:84% Parsecs ML string function sounds 00:03:22.040 --> 00:03:23.690 align:middle line:90% like what we are looking for. 00:03:23.690 --> 00:03:25.385 align:middle line:84% Let's see what options does it accept. 00:03:25.385 --> 00:03:34.330 align:middle line:90% 00:03:34.330 --> 00:03:39.310 align:middle line:84% The noent option: when set to true, entities' occurrences 00:03:39.310 --> 00:03:41.440 align:middle line:84% will be replaced by the content they hold, 00:03:41.440 --> 00:03:43.300 align:middle line:84% previously retrieved by the processor 00:03:43.300 --> 00:03:45.970 align:middle line:90% from the resource they point to. 00:03:45.970 --> 00:03:48.220 align:middle line:84% This is what makes Juice Shop vulnerable. 00:03:48.220 --> 00:03:50.605 align:middle line:84% It should be set to false to prevent XXE attacks. 00:03:50.605 --> 00:03:54.010 align:middle line:90% 00:03:54.010 --> 00:03:57.190 align:middle line:84% Make sure that all XML processors and libraries in use 00:03:57.190 --> 00:04:00.100 align:middle line:84% by the application or on the underlying operating system 00:04:00.100 --> 00:04:03.630 align:middle line:84% are up to date and latest security patches were applied. 00:04:03.630 --> 00:04:06.460 align:middle line:84% Upgrade SOAP to SOAP 1.2 or higher. 00:04:06.460 --> 00:04:09.970 align:middle line:84% Disable XML External Entities and document type definition 00:04:09.970 --> 00:04:12.370 align:middle line:90% features in all XML processors. 00:04:12.370 --> 00:04:15.130 align:middle line:84% Check the OWASP cheat sheet XXE Prevention 00:04:15.130 --> 00:04:17.769 align:middle line:84% to get more details on how to do it for several programming 00:04:17.769 --> 00:04:19.570 align:middle line:90% languages and frameworks. 00:04:19.570 --> 00:04:22.270 align:middle line:84% Proper server-side input validation, filtering, 00:04:22.270 --> 00:04:25.600 align:middle line:84% and sanitisation are mandatory to prevent hostile data 00:04:25.600 --> 00:04:28.360 align:middle line:84% to be included in XML documents, headers, 00:04:28.360 --> 00:04:31.450 align:middle line:90% or other integrated systems. 00:04:31.450 --> 00:04:34.510 align:middle line:84% In our next session, we will discuss broken access control 00:04:34.510 --> 00:04:35.290 align:middle line:90% flaws. 00:04:35.290 --> 00:04:37.840 align:middle line:84% Until then, take your time to carefully read 00:04:37.840 --> 00:04:42.060 align:middle line:84% the XML External Entities section of OWASP Top 10. 00:04:42.060 --> 00:04:43.000 align:middle line:90%