Documentbuilderfactory setvalidating example
This post will describe some findings, problems and inisghts regarding XML External Entity Attacks (XXEA) that we gathered during a large-scale security analysis of several SAML interfaces.XXEA has been a popular attack class in the last months, see for example This post will explain the basics of XXEA and how to adopt them to SAML, including some special problems you have to cope with.However, the concept of DTD is generic and offers more features, for example, a DTD allows to define an Given the number of possibilities to mount an XXEA, its prevention is not that easy.It is additionally alarming that most XML parser has enabled DTD processing (and therefore process XXE in most cases) by default.We looked at the User-Agent of the Web Application that sends the request to and found out that they differ randomly, for instance, During our study, we have evaluated 22 Software-as-a-Service Web Applications that support Single Sign-On via SAML.Ten out of them were vulnerable to XXEA and we have reported our results to them.The good thing first: For understanding how XXEA can be used in SAML, it is not necessary to understand how SAML exactly works.
The Web Application processes the DTD as follows: .
There are good reasons not to curl the DTD every time, for instance, to save time.
Additionally, it is not needed for HTML because this DTD is well known and most probably hard-coded in any browser.
This means, that in contrast to the first given XXEA example, we are only able to read the content of a system resource using XXE, but we cannot simply send this content somewhere else so that it becomes accessible to the attacker. The only thing that is sent back to the user (attacker) is whether the login was successful or not.
During our study, only few applications responded with a specific error message, but in no case this message reflected any content from the SAML-Assertion.
Search for documentbuilderfactory setvalidating example:
Thus, we had to find another way to retrieve the content of system resources.