Some of the ways to prevent XML External Entity attacks, according to OWASP, are:
Whenever possible, use less complex data formats ,such as JSON, and avoid serialization of sensitive data.
Patch or upgrade all XML processors and libraries in use by the application or on the underlying operating system.
Use dependency checkers (update SOAP to SOAP 1.2 or higher).
Disable XML external entity and DTD processing in all XML parsers in the application, as per the OWASP Cheat Sheet ‘XXE Prevention.’
Implement positive (“whitelisting”) server-side input validation, filtering, or sanitization to prevent hostile data within XML documents, headers, or nodes.
Verify that XML or XSL file upload functionality validates incoming XML using XSD validation or similar.
SAST tools can help detect XXE in source code – although manual code review is the best alternative in large, complex applications with many integrations.
If these controls are not possible, consider using:
Virtual patching
API security gateways
Web Application Firewalls (WAFs) to detect, monitor, and block XXE attacks
Post a Comment