In .NET Framework versions 4.5.2 and up, XmlTextReader's internal XmlResolver is set to null by default, making the XmlTextReader ignore DTDs by default. The XmlTextReader can become unsafe if you create your own nonnull XmlResolver with default or unsafe settings.
The Page claims that using a .NET Version above or equal to 4.5.2 is safe when ee resolving is not explicitly enabled.
There is an undocumented excepion to this behaviour:
In ASP.net applications there is a configuration value in the Web.config file:
that determines runtime/behavioural compatibility.
When this setting is either not present or below 4.5.2, loading of XML is still vulnerable to XXE no matter what .NET Framework Version was used to compile the Assemblies.
Despite this setting being automatically inserted when creating a new ASP.NET Website, ive seen missing targetFrameworks leading to XXE vulnerabilities. Even on OWASP resources, the httpRuntime Tag is often shown without a targetFramework. Ex:
Then set in config:
<system.web>
<httpRuntime targetFramework="4.5"
enableVersionHeader="false"
encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary"
maxRequestLength="4096" />
and more.
This behaviour (to my knowledge) is not officially documented by microsoft or any other source i could find.
The only mention i could find was this github issue: https://github.com/Microsoft/dotnet/issues/910 .
How should this be resolved?
This should be mentioned in the XXE .NET resources to avoid a false sense of security on >= .NET 4.5.2 Web Applications.
It should also be mentioned on the more general .net security page that setting an accurate frameworkVersion specifically in the httpRuntime is important.
If this is something you're interested in, i can submit a pull request.
What is missing or needs to be updated?
The .NET XXE section is missing some Information.
The Page claims that using a .NET Version above or equal to 4.5.2 is safe when ee resolving is not explicitly enabled. There is an undocumented excepion to this behaviour:
In ASP.net applications there is a configuration value in the
Web.config
file:not to be confused with:
that determines runtime/behavioural compatibility. When this setting is either not present or below 4.5.2, loading of XML is still vulnerable to XXE no matter what .NET Framework Version was used to compile the Assemblies.
Despite this setting being automatically inserted when creating a new ASP.NET Website, ive seen missing
targetFramework
s leading to XXE vulnerabilities. Even on OWASP resources, thehttpRuntime
Tag is often shown without atargetFramework
. Ex:or:
and more.
This behaviour (to my knowledge) is not officially documented by microsoft or any other source i could find. The only mention i could find was this github issue: https://github.com/Microsoft/dotnet/issues/910 .
How should this be resolved?
This should be mentioned in the XXE .NET resources to avoid a false sense of security on >= .NET 4.5.2 Web Applications. It should also be mentioned on the more general .net security page that setting an accurate
frameworkVersion
specifically in thehttpRuntime
is important.If this is something you're interested in, i can submit a pull request.