search

OWASP / CheatSheetSeries

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
https://cheatsheetseries.owasp.org
Creative Commons Attribution Share Alike 4.0 International
27.75k stars 3.89k forks source link

Update: [XML_External_Entity_Prevention_Cheat_Sheet] #1281

Closed sum-catnip closed 7 months ago

sum-catnip commented 8 months ago

What is missing or needs to be updated?

The .NET XXE section is missing some Information.

In .NET Framework versions 4.5.2 and up, XmlTextReader's internal XmlResolver is set to null by default, making the XmlTextReader ignore DTDs by default. The XmlTextReader can become unsafe if you create your own nonnull XmlResolver with default or unsafe settings.

The Page claims that using a .NET Version above or equal to 4.5.2 is safe when ee resolving is not explicitly enabled. There is an undocumented excepion to this behaviour:

In ASP.net applications there is a configuration value in the Web.config file:

<system.web>
    <httpRuntime targetFramework="4.5.2" />
</system.web>

not to be confused with:

<compilation targetFramework="4.5.2" />

that determines runtime/behavioural compatibility. When this setting is either not present or below 4.5.2, loading of XML is still vulnerable to XXE no matter what .NET Framework Version was used to compile the Assemblies.

Despite this setting being automatically inserted when creating a new ASP.NET Website, ive seen missing targetFrameworks leading to XXE vulnerabilities. Even on OWASP resources, the httpRuntime Tag is often shown without a targetFramework. Ex:

<system.web>
    <httpRuntime enableVersionHeader="false"/>
</system.web>

or:

Then set in config:

<system.web>
<httpRuntime targetFramework="4.5"
enableVersionHeader="false"
encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary"
maxRequestLength="4096" />

and more.

This behaviour (to my knowledge) is not officially documented by microsoft or any other source i could find. The only mention i could find was this github issue: https://github.com/Microsoft/dotnet/issues/910 .

How should this be resolved?

This should be mentioned in the XXE .NET resources to avoid a false sense of security on >= .NET 4.5.2 Web Applications. It should also be mentioned on the more general .net security page that setting an accurate frameworkVersion specifically in the httpRuntime is important.

If this is something you're interested in, i can submit a pull request.

jmanico commented 8 months ago

We would love a PR on this, this is important stuff!

sum-catnip commented 8 months ago

repo demonstrating the behaviour: https://github.com/sum-catnip/aspnet-452-xxe-poc