1. 21
  1.  

  2. 6

    Great example of unnecessary complexity (“features” that shouldn’t have existed in the first place) resulting in total system compromise.

    1. 3

      Python’s defusedxml is probably the most famous library for defense against these attacks.

      1. 3

        It blows me away how common that XXE is in the Java corporate world, I have tested my fair share of services that use the Java XML parsers that all seem to enable the external entity behaviour by default. I really have no idea who thought that this was a useful idea, but it is the example I use when I teach about using libraries without understanding how they work. I’d say that in-house Java developed software I’ve tested is about 80% vulnerable to XXE, and some XXE’s can be worse than just arbitrary read primitives, matters are often made worse because of how often Java applications seem to be running as root or SYSTEM.

        1. 2

          Why do people feel the need to use formats/libraries with such large footguns?

          XML entity decoding resulted in at least one bug bounty from Facebook (that I’m aware of).

          YAML serialization bugs have caused problems before: https://www.sitepoint.com/anatomy-of-an-exploit-an-in-depth-look-at-the-rails-yaml-vulnerability/

          1. 4

            Why do people feel the need to use formats/libraries with such large footguns?

            Sometimes ‘cuz they don’t know they’re there? In XML’s case the footgun isn’t very well labelled. It’s called “extensible markup language” not “extensible markup language that also makes network requests during parsing and stuff”.

            Like seriously, network requests during parsing? That’s such a dumb idea it’s almost inconceivable.

            I think it’s very common to only be keenly aware of the subset of any given file format that you’ve seen or produced yourself. e.g. XML internal entities have no practical use whatsoever, so you’re not going to write code that emits them, and you’re unlikely to ever see one in a document you got from someone else.

          2. 1
            <!DOCTYPE comment>
            <comment>
                <meta>
                    <type>comment</type>
                <meta>
                <content>
                    <paragraph>
                        <sentence>
                            <upper>i</upper>could add a rant about <upper>xml</upper>.
                        </sentence>
                        <sentence>
                            <upper>t</upper>hat will not make a single person stop using <upper>xml</upper> so why bother&ellipsis;
                        </sentence>
                        <sentence>
                            <upper>e</upper>verything is already <upper>xml</upper>, even this comment which is converted to <upper>xhtml</upper>.
                        </sentence>
                    <paragraph>
                </content>
            </comment>
            

            ;)