1

Is it true (or at least makes sense) that one can have a XXE attack on Javascript? This is, when trying to parse XML with JS, does it process external entities? But this parsing is executed client side, am I right? What harm can it do to a server?

How can we prevent such attacks on Javascript XML DOM or Jquery or alike?

Thank you! Cheers

freshbm
  • 5,540
  • 5
  • 46
  • 75
pnpo
  • 156
  • 1
  • 8
  • Might search / post here as well: http://security.stackexchange.com/ – ken Aug 01 '14 at 21:55
  • 1
    why don't you test it out? put some XML that does XXE on a site, hit it with your browser, and see if the browser reaches out to load those external entities. – Marc B Aug 01 '14 at 21:56
  • Sure, I will try it out. My question was more about the feasability and the point of doing such an attack. – pnpo Aug 01 '14 at 22:40

1 Answers1

1

No, maybe old internet explorers were vulnerable, but current browsers not. (I tested it about 2 years ago with ie, ff, chrome, opera desktop browsers. I could not find an installer to try out, but there were rumors, that this kind of attack is maybe possible with ie5 or ie6. So this is just interesting, not a real threat by client side programming.)

In general, if you want to prevent such an attack, you have to turn off processing external entities in your XML parser, that's all.

inf3rno
  • 24,976
  • 11
  • 115
  • 197
  • Thank you for the answer. It seems reasonable that it doesn't make sense on client side programming. Do you know any way to switch off these processing of external entities in javascript? I couldn't find out in my searches... – pnpo Aug 01 '14 at 22:34
  • It is because there is no such feature in client side xml parsers. It is disabled by default, and you cannot turn on. For example by PHP libXML it is enabled by default, and you should always turn off with `libxml_disable_entity_loader(true)`. With java JAXB you can turn it off this way: http://stackoverflow.com/questions/12977299/preven-xxe-attack-with-jaxb , and so on... It really depends on the API of the XML parser you want to use... – inf3rno Aug 02 '14 at 08:12
  • Some links might be interesting for you: [Browser support for DTD loading](http://en.wikipedia.org/wiki/Comparison_of_layout_engines_%28XML%29#Schema_technologies), [XXE success by msie7](https://blogs.oracle.com/mindless/entry/browser_support_for_xml_external), [XXE possibilities in browsers](http://maliciousmarkup.blogspot.hu/2008/11/fun-with-xxe-data-islands-and-parseuri.html). – inf3rno Aug 02 '14 at 08:23