knowledgebase sub-category

Secure Development Lifecycle for Open Source Usage

Preface How do we adjust the SDL (Security Development Lifecycle) process for the growing use of open source in internal/external systems we develop and maintain? This is a question I hear a lot lately from our customers in some recent SDL projects we (AppSec Labs) carried out for our customers. After we did some research, […]

XXE – iOS secure coding

libxml2

iOS includes the C/C++ libxml2 library described in C/C++ secure coding examples, so that guidance applies if you are using libxml2 directly. However, the version of libxml2 provided up through iOS6 is prior to version 2.9 of libxml2 (which protects against XXE by default).

NSXMLDocument

iOS also provides an NSXMLDocument type, which is built on top of libxml2. However, NSXMLDocument provides some additional protections against XXE that aren’t available in libxml2 directly:

iOS4 and earlier: All external entities are loaded by default.
iOS5 and later: Only entities that don’t require network access are loaded. (which is safer)

However, to completely disable XXE in an NSXMLDocument in any version of iOS you simply specify NSXMLNodeLoadExternalEntitiesNever when creating the NSXMLDocument.

references:
http://developer.apple.com/library/ios/#releasenotes/Foundation/RN-Foundation-iOS/Foundation_iOS5.html
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#iOS

XXE – PHP secure coding

The following should be set when using the default PHP XML parser in order to prevent XXE:
libxml_disable_entity_loader(true);

XXE – Java secure coding

Java applications using XML libraries are particularly vulnerable to XXE because the default settings for most Java XML parsers is to have XXE enabled. To use these parsers safely, you have to explicitly disable XXE in the parser you use. The following describes how to disable XXE in the most commonly used XML parsers for Java.

JAXP DocumentBuilderFactory


import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.DocumentBuilder;

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);

try {
   dbf.setFeature("http://apache.org/xml/features/allow-java-encodings", true);
}
catch (ParserConfigurationException e) {
   System.err.println("could not set parser feature");
}

 

SAXParserFactory

import javax.xml.parsers.SAXParser;
import org.xml.sax.SAXException;
import org.xml.sax.XMLReader;
SAXParser parser = /* created from SAXParserFactory */;
XMLReader reader = parser.getXMLReader();
try {
   reader.setFeature("http://xml.org/sax/features/allow-java-encodings", true);
}
catch (SAXException e) {
   System.err.println("could not set parser feature");
}

 

XMLReader

To protect a Java XMLReader from XXE, do this:

XMLReader spf = XMLReaderFactory.createXMLReader();
spf.setFeature(“http://xml.org/sax/features/external-general-entities”, false);
spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
spf.setFeature(“http://apache.org/xml/features/nonvalidating/load-external-dtd”,false);

more libraries and references:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Java

XXE – .NET secure coding

Prior to .NET 4.0
In .NET Framework versions prior to 4.0, DTD parsing behavior for XmlReader and XmlTextReader is controlled by the Boolean ProhibitDtd property found in the System.Xml.XmlReaderSettings and System.Xml.XmlTextReader classes. Set these values to true to disable inline DTDs completely:

XmlReader

XmlReaderSettings settings = new XmlReaderSettings();
settings.ProhibitDtd = true; // Not explicitly needed because the default is 'true'
XmlReader reader = XmlReader.Create(stream, settings);

 

XmlTextReader

XmlTextReader reader = new XmlTextReader(stream);
reader.ProhibitDtd = true; // NEEDED because the default is FALSE!!

 

XmlDocumentReader

XmlDocumentReader doesn’t use a ProhibitDtd property. Instead you have to set its XmlResolver to null.

static void LoadXML()
{
  string xml = "<!DOCTYPE doc
  []
  >&win;";

  XmlDocument xmlDoc = new XmlDocument();
  xmlDoc.XmlResolver = null; // Setting it to NULL disables DTDs (not null by default).
  xmlDoc.LoadXml(xml);
  Console.WriteLine(xmlDoc.InnerText);
  Console.ReadLine();
}

 

.NET 4.0 and later
In .NET Framework version 4.0, DTD parsing behavior has been changed. The ProhibitDtd property has been deprecated in favor of the new DtdProcessing property. However, they didn’t change the default settings so XmlTextReader is still vulnerable to XXE by default.

Setting DtdProcessing to Prohibit causes the runtime to throw an exception if a element is present in the XML. To set this value yourself, it looks like this:

XmlReaderSettings settings = new XmlReaderSettings();
settings.DtdProcessing = DtdProcessing.Prohibit;
XmlReader reader = XmlReader.Create(stream, settings);

Alternatively, you can set the DtdProcessing property to Ignore, which will not throw an exception on encountering a element but will simply skip over it and not process it. Finally, you can set DtdProcessing to Parse if you do want to allow and process inline DTDs.

 

.NET 4.6 and later
Starting with .NET 4.6, Microsoft finally changed the default behavior of XmlDocument to be safe from XXE by default, by setting the XmlResolver to null.

For more details on all of this, please read James Jardine’s article.

 

Reference:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#.NET

XXE – C/C++ secure coding

libxml2

The Enum xmlParserOption should not have the following options defined:

XML_PARSE_NOENT // Expands entities and substitutes them with replacement text
XML_PARSE_DTDLOAD // Load the external DTD

Note: starting with libxml2 version 2.9, XXE has been disabled by default as committed by the following patch: http://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f.

Reference:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#C.2FC.2B.2B

Disable Excessive headers – PHP

Methods

To Hide the PHP version from remote HTTP requests, set the following line in the php.ini file:

expose_php = Off

References

http://php.net/manual/en/ini.core.php

Disable Excessive headers – Apache

Methods

1. To remove the Server header, follow these steps:

  • Load the hread module in the Apache httpd.conf file, by adding the following line:
LoadModule headers_module modules/mod_headers.so

  • After headers_module is loaded, set the following lines in httpd.conf:

ServerTokens Prod
ServerSignature Off

ServerSignature removes the version ifnp from the page generated by apache web server (e.g. 403, 404, 502, etc.)
ServerTokens changes Header to production only, i.e. Apache

  • Restart apache service.

2. To remove X-Powered-By header, include following lines in the httpd.conf.

<IfModule mod_headers.c>
   Header unset X-Powered-By
</IfModule>

3. For Apache Coyote, edit the server.xml configuration file found at: CATALINA_HOME/conf/server.xml

<Connector 
     port="8080"
     ... 
     server="Apache"
/>

4. For JBoss 6.0, JBoss 7.0, JBoss 7.1, modify the catalina.properties file located in: ${jboss.home}/server/${server.instance.name}/deploy/jbossweb.sar/.

Set the property org.apache.catalina.connector.X_POWERED_BY to false.

References

https://httpd.apache.org/docs/2.2/mod/core.html#serversignature
https://httpd.apache.org/docs/2.2/mod/mod_headers.html#header
http://docs.jboss.org/jbossweb/7.0.x/sysprops.html
https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html
https://www.owasp.org/index.php/Securing_tomcat

Disable Excessive headers – IIS

Methods

1. Remove the Server header by adding the following code to the Global.asax.cs file in your project:

 protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
 {
    Response.Headers.Remove("X-AspNet-Version");
    Response.Headers.Set("Server","FooServer");
 }

2. To remove the X-AspNet-Version header set the following, in the Web.config:

<configuration>
  <system.web>
    <httpRuntime enableVersionHeader="false" />
  </system.web>
</configuration>

3. To remove X-AspNetMvc-Version, add the following line in the Application_Start event in Global.asax:

protected void Application_Start()
{
    MvcHandler.DisableMvcResponseHeader = true;
}

4. To remove the X-Powered-By header set the following in the Web.config file:

<configuration>
  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
</configuration>

5. To suppress all the other headers ensure that the Web.config contains the following xml:


<configuration>
  <nwebsec>
    <httpHeaderModule>
      <suppressVersionHttpHeaders enabled="true" />
    <httpHeaderModule>
  </nwebsec>
</configuration>

6. Alternatively, follow the following instructions of IIS configuration:
https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/

Preventing Directory Listing – Apache

Using httpd.conf or .htaccess

Add the following lines in httpd.conf or .htaccess

Options -Indexes
IndexIgnore *

Reference

http://wiki.apache.org/httpd/DirectoryListings