[OWASP-wiki-editors] XXE mitigations in .NET

Москвин Вячеслав Андреевич vmoskvin at ussc.ru
Tue Sep 22 14:14:35 UTC 2015


Hi!
I think that XXE mitigations in .NET described in article https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing are not sufficient. We tested them and found out that following settings

settings.ProhibitDtd = true;

and

XmlReaderSettings settings = new XmlReaderSettings();
settings.DtdProcessing = DtdProcessing.Prohibit;

don't actually prohibit external entity processing (but prohibit processing of XML bombs). This helps, though:

settings.XmlResolver = null;

Also, the last piece of code is from http://msdn.microsoft.com/en-us/magazine/ee335713.aspx , which is referenced in the article.

---
Vyacheslav Moskvin
USSC Ltd.
www.ussc.ru<http://www.ussc.ru/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-wiki-editors/attachments/20150922/407183ca/attachment.html>


More information about the OWASP-wiki-editors mailing list