A Hands-on XML External Entity Vulnerability Training Module

by Carrie Roberts Sept. 1, 2017 via SANS Institute

Many web applications that accept and respond to XML requests are vulnerable to XML External Entity (XXE) attacks due to default XML parser settings. This vulnerability can be exploited to read arbitrary files from the server, including sensitive files such as the application configuration files. This paper provides detailed instructions for building a vulnerable web application using the standard XML parser that comes with the Java development kit. A virtual machine image of the complete system is also provided, allowing experimentation and visualization of the vulnerability. The virtual machine image can be used to provide engaging, hands-on XXE training for developers and intrusion analysts. Exploitation tools and techniques for reading the applications sensitive configuration file are demonstrated. A simple method for removing the vulnerability is reviewed. Finally network intrusion analysis is performed to discover how the vulnerability was exploited and what sensitive information was exposed.