Home > Dotnet > XML External Entity Injection – Fix

XML External Entity Injection – Fix

We have a Web Service, which accepts ‘XML’ payload from client and processes.

Recently the ‘Web Service’ underwent Penetration testing (Also called ‘Ethical hacking’) and following vulnerability has been identified:

PenTest_1

Reason:

  • Our Web Service, processes the XML payload submitted by client using the following code snippet:

PenTest_2

  • We were not having XML payload validation in place.
  • There is possibility that hacker can inject malicious content in the XML and can cause a denial of service condition, gain access to unauthorized information available on the server where the ‘Web Service’ was hosted.

Fix:

  • We could fix the issue by setting ‘XmlResolver’ property to ‘Null’.
  • External resources are resolved using the ‘XmlResolver’ provided via XmlDocument.XmlResolver property, by setting ‘XMlResolver’ to Null, XML Parser would not resolve the external resources, which prevents accessing external resources (i.e., Files in the Serer where Web Service hosted).
  • Change the ‘XmlDocument’ object instantiation as below with ‘XmlResolver’ set to ‘Null’ solved our issue.

var xmlDocument = new XmlDocument { XmlResolver = null };

🙂

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: