asp.net .asmx web service ishow XXE vulnerability - External DNS

Question

We have uncovered an XML External Entity vulnerability in our asp.net asmx web service.

We are testing an asp.net .asmx web service using burp suite, to check for XML External Entity Processing vulnerabilities. See: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#net

We see that when a DTD is included in the request like this:

<!DOCTYPE soapenv:envelope PUBLIC "-//B/A/EN" "http://1234565.cigitalcollaborator.com">

A DNS request is sent to for cigitalcollaborator.com. This indicates the asmx web service is processing the DTD in request.

We are using .net version 4.5.2.

According to this link, XXE vulnerabilities should be implicitly blocked for .net 4.5.2 and later: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#.NET_4.5.2_and_later

But it's not... We ge this DNS lookup.

The underlying .net framework is handling XML deserialization/serialization for this asmx web service, so there's no code for us to really fix here. We cannot alter the behavior right, because it's somewhere in the underlying framework?

How we can fix this XXE vulnerability for our ASMX web service?

Thank you

Jon Paugh

Answer 1

I think that it is important to consider two different points here:

First - An automated scan designed to work across web applications using all manner of different technologies does not prove that a vulnerability is present. A DNS lookup is not the same as fully processing the Entity in question. If a subsequent request is made to the url in question, and data from that is processed then you have a vulnerability. You can configure your application use a proxy like Fiddler to verify if such a request is made.

Secondly, .NET has been secure since 4.5.2 by default. This is not the same as guaranteed secure. If an application requires DTD processing it can be enabled in the settings:

var xmlReaderSettings = new XmlReaderSettings();
xmlReaderSettings.DtdProcessing = DtdProcessing.Parse;
var xmlReader = XmlReader.Create(new StringReader("EvilXml", xmlReaderSettings));

Or

var xmlTextReader = new XmlTextReader(new StringReader("EvilXml");
xmlTextReader..DtdProcessing = DtdProcessing.Parse;

And with an XDocument resolver implementations process DTDs

var xmlDocument = new XmlDocument();
// Implementations of XmlResolver are probably  unsafe
xmlDocument.XmlResolver = new MyCustomResolver(); 
// xmlDocument.XmlResolver = null is safe - should be the default from 4.5.2 
xmlDocument.LoadXml("EvilXml");

I would probably search the source code for the two relevant text strings "DtdProcessing.Parse" and "XmlResolver" to rule this out.

Answer 2

ASXM web services are considered legacy and don't receive all bug fixes as they have limited extension points. You probably want to re-write this or at least put a facade in front of it using like WCF or WebAPI...

Sadly the connect articles referring to this have been taken down with connect retiring but there are references from people to linking to them:

"They are based on the old XML Serialization technology, which is not getting bug fixes. (see Microsoft comment on 1/11/2010)" https://johnwsaunders3.wordpress.com/