How to Mitigate XXE Vulnerabilities in Python

XML External Entity Injection is often referred to as a variant of Server-side Request Forgery (SSRF). XXE leverages language parsers parse the widely used data format, XML, used in a number of common scenarios, such as SOAP and REST web services and file formats, such as PDF, DOCX, HTML.

The main issue lies in XML parsers and how, by default, they handle outbound network calls as well as other XML-specific features, which we will get into later. For a broader and more in-depth explanation of XXE, I would highly recommend going over our 2-part series first.

Python XML Libraries

In the Python ecosystem (2.X & 3.X), most — if not all — XML parsing is handled by the standard libraries:

• minidom
• etree
• sax
• pulldom

And, in some cases, even beautifulsoup, since as we said HTML is a subset of XML, we can parse XML using it. The good news is that minidom and etree are not vulnerable to XXE by default. As a result, we’ll focus on pulldom as it’s tightly knit to sax.

Examples

The following example leverages the pulldom module as well as bottle to create a very minimal web service. It has a single endpoint, POST  /pulldom that receives the request body as XML, parses it, and returns it back.

import bottle

from xml.dom.pulldom import START_ELEMENT, parse

@bottle.post('/pulldom')
def pulldom():
    doc = parse(bottle.request.body)
    for event, node in doc:
        doc.expandNode(node)
    return(str(doc))

if __name__ == '__main__':
    bottle.run(host='0.0.0.0', port=5050)

The scanner can detect this by leveraging our AcuMonitor service by transmitting and receiving the following request and response during the scan:

Request

POST http://localhost:5050/lxmlnet HTTP/1.1
Content-type: text/xml
Host: localhost:5050


<!ENTITY dteyybzent SYSTEM "http://hitWP5ElLuA1m.bxss.me/">
]>
&dteyybzent;

In bold, you can see the !ENTITY expansion pointing to a remote URL, which, in this case, routes to the AcuMonitor (under bxss.me).

Response

HTTP/1.0 500 Internal Server Error
Server: WSGIServer/0.1 Python/2.7.14

...
<body>
<h1>Error: 500 Internal Server Error</h1>
<p>Sorry, the requested URL <tt>'http://localhost:5050/lxmlnet'</tt>
caused an error:</p>
<pre>Internal Server Error</pre>
</body>
...

The above is an HTTP Response truncated for clarity.

The server tried processing the payload internally and sent the request, which raised a  SAXParseException:

SAXParseException: http://hituxSWuqFxmy.bxss.me/:2:0: error in processing external entity reference

Conclusion

With security, the first question when receiving an input is along the lines of, “where is this data source coming from?” Given that the two most popular libraries, minidom and etree, are safe from XXE attacks (though vulnerable to others), you are generally good to go from the standard library.

The alternative libraries, pulldom and sax, are, by design, required to pull XML from remote locations, which means that you should avoid using them for handling untrusted user XMLs in any form. Should you still opt to use the aforementioned libraries, you should wrap them with your own safe implementation that sanitizes input prior to processing it.