[OWASP-wiki-editors] XXE mitigations in .NET

Tue Sep 22 16:50:57 UTC 2015

Again, thank you very much for your help.

Do you know if this is .NET 3.5 or 4.0 code?

Here is the current wiki text. Can you suggest how we should change this 
and if the defense world for both, one or neither of these frameworks?

Thank you sir!
Aloha,
Jim

***

      .NET

        .NET 3.5

The following information for .NET are almost direct quotes from this 
great article on how to prevent XXE and XML Denial of Service in 
.NET:http://msdn.microsoft.com/en-us/magazine/ee335713.aspx.

In .NET Framework versions 3.5 and earlier, DTD parsing behavior is 
controlled by the Boolean ProhibitDtd property found in the 
System.Xml.XmlTextReader and System.Xml.XmlReaderSettings classes. Set 
this value to true to disable inline DTDs completely:

XmlTextReader reader = new XmlTextReader(stream);
reader.ProhibitDtd = true;

or

XmlReaderSettings settings = new XmlReaderSettings();
settings.ProhibitDtd = true;
XmlReader reader = XmlReader.Create(stream, settings);

The default value of ProhibitDtd in XmlReaderSettings is true, but the 
default value of ProhibitDtd in XmlTextReader is false, which means that 
you have to explicitly set it to true to disable inline DTDs.

If you need DTD parsing enabled, but need to know how to do it safely, 
the above referenced MSDN article has detailed instructions on how to do 
that too.

        .NET 4.0

In .NET Framework version 4.0, DTD parsing behavior has been changed. 
The ProhibitDtd property has been deprecated in favor of the new 
DtdProcessing property, whose default value is Prohibit. This means that 
.NET 4.0 apps should be immune to XXE by default, if they are using an 
XmlReader to parse their XML.

Setting DtdProcessing to Prohibit causes the runtime to throw an 
exception if a <!DOCTYPE> element is present in the XML. To set this 
value yourself, it looks like this:

XmlReaderSettings settings = new XmlReaderSettings();
settings.DtdProcessing = DtdProcessing.Prohibit;
XmlReader reader = XmlReader.Create(stream, settings);

Alternatively, you can set the DtdProcessing property to Ignore, which 
will not throw an exception on encountering a <!DOCTYPE> element but 
will simply skip over it and not process it. Finally, you can set 
DtdProcessing to Parse if you do want to allow and process inline DTDs.

Again, if you need to enable DTD processing, instructions on how to do 
so safely are described in detail in the referenced MSDN article.

On 9/22/15 7:14 AM, Москвин Вячеслав Андреевич wrote:
>
> Hi!
>
> I think that XXE mitigations in .NET described in article 
> https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing 
> are not sufficient. We tested them and found out that following settings
>
>
> settings.ProhibitDtd = true;
>
> and
>
> XmlReaderSettings settings = new XmlReaderSettings();
>
> settings.DtdProcessing = DtdProcessing.Prohibit;
>
> don’t actually prohibit external entity processing (but prohibit 
> processing of XML bombs). This helps, though:
>
> settings.XmlResolver = null;
>
> Also, the last piece of code is from 
> http://msdn.microsoft.com/en-us/magazine/ee335713.aspx 
> <http://msdn.microsoft.com/en-us/magazine/ee335713.aspx> , which is 
> referenced in the article.
>
> ---
>
> Vyacheslav Moskvin
>
> USSC Ltd.
>
> www.ussc.ru <http://www.ussc.ru/>
>
>
>
> _______________________________________________
> OWASP-wiki-editors mailing list
> OWASP-wiki-editors at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-wiki-editors

-- 
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org
Join me at AppSecUSA 2015!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-wiki-editors/attachments/20150922/e69c0108/attachment-0001.html>