We work through the different XML methods provided and their corresponding vulnerable configurations. For all experiments, .NET framework 4.6 was chosen.
TL;DR: In order to create an XXE vulnerability for applications using .NET framework 4.6+, you have to instantiate a vulnerable XmlResolver beforehand.
XmlReader
In order to allow the processing of external DTDs, both the DtdProcessing and the XmlResolver attributes have to be set accordingly.The DtdProcessing attribute alone will not suffice.
The official Microsoft documentation states the following:
The XmlResolver type is used to resolve external XML resources, such as entities, document type definitions (DTDs), or schemas. It is also used to process include and import elements found in Extensible Stylesheet Language (XSL) style sheets or XML Schema definition language (XSD) schemas. (see https://docs.microsoft.com/de-de/dotnet/api/system.xml.xmlresolver?view=netframework-4.8)
An XmlResolver is used to access external documents. If set to null, an XmlException is thrown when the XmlReader tries to access an external resource. The default is a new XmlUrlResolver with no credentials. Starting with the .NET Framework 4.5.2, this setting has a default value of null. (see https://docs.microsoft.com/de-de/dotnet/api/system.xml.xmlreadersettings.xmlresolver?view=netframework-4.8)
No comments:
Post a comment