[OWASP-wiki-editors] XXE mitigations in .NET

Москвин Вячеслав Андреевич vmoskvin at ussc.ru
Wed Sep 23 06:15:40 UTC 2015

It’s better to keep old defense (it disables inline entities, protecting app from XML DoS attacks) and add new. The new defense works for .NET 3.5, 4.0, 4.5. I think new version of article should look like this:


The following information for .NET are almost direct quotes from this great article on how to prevent XXE and XML Denial of Service in .NET:http://msdn.microsoft.com/en-us/magazine/ee335713.aspx.
In the .NET Framework, you can prevent XmlReader from resolving external entities while still allowing it to resolve inline entities by setting the XmlResolver property of XmlReaderSettings to null.
settings.XmlResolver = null;

To protect your app from XML Denial of Service attack you should prohibit inline entities resolving by changing DTD parsing settings.

.NET 3.5

In .NET Framework versions 3.5 and earlier, DTD parsing behavior is controlled by the Boolean ProhibitDtd property found in the System.Xml.XmlTextReader and System.Xml.XmlReaderSettings classes. Set this value to true to disable inline DTDs completely:

XmlTextReader reader = new XmlTextReader(stream);

reader.ProhibitDtd = true;


XmlReaderSettings settings = new XmlReaderSettings();

settings.ProhibitDtd = true;

XmlReader reader = XmlReader.Create(stream, settings);

The default value of ProhibitDtd in XmlReaderSettings is true, but the default value of ProhibitDtd in XmlTextReader is false, which means that you have to explicitly set it to true to disable inline DTDs.

If you need DTD parsing enabled, but need to know how to do it safely, the above referenced MSDN article has detailed instructions on how to do that too.

.NET 4.0, .NET 4.5

In .NET Framework version 4.0, DTD parsing behavior has been changed. The ProhibitDtd property has been deprecated in favor of the new DtdProcessing property, whose default value is Prohibit. This means that .NET 4.0 apps should be immune to XXE by default, if they are using an XmlReader to parse their XML.

Setting DtdProcessing to Prohibit causes the runtime to throw an exception if a <!DOCTYPE> element is present in the XML. To set this value yourself, it looks like this:

XmlReaderSettings settings = new XmlReaderSettings();

settings.DtdProcessing = DtdProcessing.Prohibit;

XmlReader reader = XmlReader.Create(stream, settings);

Alternatively, you can set the DtdProcessing property to Ignore, which will not throw an exception on encountering a <!DOCTYPE> element but will simply skip over it and not process it. Finally, you can set DtdProcessing to Parse if you do want to allow and process inline DTDs.

Again, if you need to enable DTD processing, instructions on how to do so safely are described in detail in the referenced MSDN article.

Vyacheslav Moskvin

From: Jim Manico [mailto:jim.manico at owasp.org]
Sent: Tuesday, September 22, 2015 9:59 PM
To: Москвин Вячеслав Андреевич <vmoskvin at ussc.ru>; owasp-wiki-editors at lists.owasp.org
Subject: Re: [OWASP-wiki-editors] XXE mitigations in .NET

PS: Here are the changes I made....

On 9/22/15 7:14 AM, Москвин Вячеслав Андреевич wrote:
settings.XmlResolver = null;


Jim Manico

Global Board Member

OWASP Foundation


Join me at AppSecUSA 2015!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-wiki-editors/attachments/20150923/7fbda871/attachment-0001.html>

More information about the OWASP-wiki-editors mailing list