154
Hacking Exposed: Mobile Security Secrets & Solutions
the SAXParser class to process XML either from a web service or from an untrusted source such as another Android application, then the application should either disable the use of DTDs or limit the number of entity expansions, similar to how back-end systems can be hardened against denial of service attacks. On the iOS side, the NSXMLParser catches the XML entity expansion attack and throws an NSXMLParserEntityRefLoopError exception before a denial of service condition occurs, but developers who decide to use an XML parser other than the one provided by Apple should carefully review the parser’s options.
XML Entity Reference Besides causing a denial of service condition, an attacker can also abuse XML entities to acquire the contents of local files stored on the web server. Consider the following example, which shows an XML document that defines an external entity reference called fileContents that points to the host file on Windows and then uses the defined entity later in the document: POST /SomeWebServiceEndpoint HTTP/1.1 Host: www.example.com Content-Length: 196 <?xml version="1.0"?> <!DOCTYPE fileDocType [ <!ENTITY fileContents SYSTEM "C:\Windows\System32\drivers\etc\hosts"> ]> <SomeElement1><SomeElement2>&fileContents;</SomeElement2></SomeElement1>
If the XML parser supports DTDs with external entities, which many XML parsers do by default, then the XML parser fetches the host file from the file system and may display the contents of the file within the HTTP response to the attacker. Which files an attacker can steal via this vulnerability depends on the permissions granted to the process responsible for handling web service requests. A web service running under the guise of the administrator or root user is clearly the worst-case scenario. The attacker could also exploit this type of vulnerability to trigger a denial of service condition by forcing the XML parser to access a special device file or forcing the XML parser to make a large number of HTTP requests to access remote resources in order to exhaust the network connection pool.
XML Entity Reference Countermeasures As previously stated, for most XML-based web services that do not require DTD processing within the web service request, we recommend simply disabling DTDs altogether. Under some circumstances, however, developers may want to configure their XML parsers to handle DTDs that contain general entities but prevent the processing of external entities. Within JAXP, you can disable the external-general-entities