如何防止XXE攻击(.net中的XmlDocument) [英] How to prevent XXE attack ( XmlDocument in .net)
问题描述
我们对代码进行了安全审核,他们提到我们的代码容易受到外部实体(XXE)攻击。我正在使用以下代码-
We had a security audit on our code, and they mentioned that our code is vulnerable to EXternal Entity (XXE) attack. I am using following code -
string OurOutputXMLString=
"<ce><input><transaction><length>00000</length><tran_type>Login</tran_type></transaction><user><user_id>ce_userid</user_id><subscriber_name>ce_subscribername</subscriber_name><subscriber_id>ce_subscriberid</subscriber_id><group_id>ce_groupid</group_id><permissions></permissions></user><consumer><login_details><username>UnitTester9</username><password>pDhE5AsKBHw85Sqgg6qdKQ==</password><pin>tOlkiae9epM=</pin></login_details></consumer></input></ce>"
XmlDocument xmlDoc = new XmlDocument();
xmlDoc.LoadXml(OurOutputXMLString);
在审计报告中,他们说它失败了,因为XML实体可以包含可以在预期控制之外解析的URL 。 XML实体解析器将尝试解析和检索外部引用。如果可以将攻击者控制的XML提交给这些功能之一,那么攻击者就可以访问有关内部网络,本地文件系统或其他敏感数据的信息。
为避免这种情况,我编写了以下代码,但它不起作用。
In Audit report they say that its failing because XML entity can contain URLs that can resolve outside of intended contronl. XML entity resolver will attempt to resolve and retrieve external references. If attacker-controlled XML can be submitted to one of these functions, then the attacker could gain access to information about an internal network, local filesystem, or other sensitive data. To avoid this i wrote the following code but it doesnt work.
MemoryStream stream =
new MemoryStream(System.Text.Encoding.Default.GetBytes(OurOutputXMLString));
XmlReaderSettings settings = new XmlReaderSettings();
settings.DtdProcessing = DtdProcessing.Prohibit;
settings.MaxCharactersFromEntities = 6000;
XmlReader reader = XmlReader.Create(stream, settings);
XmlDocument xmlDoc = new XmlDocument();
xmlDoc.Load(reader);
但我在这里看到读者没有任何价值可加载到xmlDoc(XmlDocument)中。
谁能帮助我在哪里缺少东西?
感谢大家的帮助!
but i can see here that reader does not have any value to load into xmlDoc(XmlDocument). Can anyone help where i am missing things? Anyone help is appreciated !
推荐答案
使用 XmlResolver 通过 XmlDocument.XmlResolver 属性提供。如果您的XML文档**不应包含任何外部资源**(例如DTD或模式),只需将此属性设置为 null :
External resources are resolved using the XmlResolver provided via XmlDocument.XmlResolver property. If your XML documents **should not contain any external resource **(for example DTDs or schemas) simply set this property to null:
XmlDocument xmlDoc = new XmlDocument();
xmlDoc.XmlResolver = null;
xmlDoc.LoadXml(OurOutputXMLString);
如果您想过滤这些URL的来源(例如,仅允许某些域),则只需派生您自己的 XmlUrlResolver 类,并覆盖 ResolveUri()方法。在那里,您可以检查URL并对其进行清理(例如,您只能在本地网络中或从受信任的来源中允许URL)。
If you want to filter where these URLs come from (for example to allow only certain domains) just derive your own class from XmlUrlResolver and override the ResolveUri() method. There you can check what the URL is and sanitize it (for example you can allow only URLs within your local network or from trusted sources).
例如:
class CustomUrlResovler : XmlUrlResolver
{
public override Uri ResolveUri(Uri baseUri, string relativeUri)
{
Uri uri = new Uri(baseUri, relativeUri);
if (IsUnsafeHost(uri.Host))
return null;
return base.ResolveUri(baseUri, relativeUri);
}
private bool IsUnsafeHost(string host)
{
return false;
}
}
其中 IsUnsafeHost()是一个自定义函数,用于检查是否允许给定的主机。请参阅以下内容的这篇文章想法。只需将 null 从 ResolveUri()返回到保存即可免受此类攻击。如果允许使用URI,则只需返回默认的 XmlUrlResolver.ResolveUri()实现。
Where IsUnsafeHost() is a custom function that check if the given host is allowed or not. See this post here on SO for few ideas. Just return null from ResolveUri() to save your code from this kind of attacks. In case the URI is allowed you can simply return the default XmlUrlResolver.ResolveUri() implementation.
要使用它:
XmlDocument xmlDoc = new XmlDocument();
xmlDoc.XmlResolver = new CustomUrlResolver();
xmlDoc.LoadXml(OurOutputXMLString);
有关如何解析XML外部资源的更多详细信息,请阅读在MS Docs上解决外部资源。如果您的代码比本示例更复杂,那么您绝对应该阅读
For more details about how XML external resources are resolved just read Resolving External Resources on MS Docs. If your code is more complex than this example then you should definitely read Remarks section for XmlDocument.XmlResolver property.
这篇关于如何防止XXE攻击(.net中的XmlDocument)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
