Question

Extensible Markup Language ( XML) is designed for storing and transporting data. This markup language allows developers to define and represent arbitrary data structures in a text format using a tree-like structure like that of HTML. For example, web applications commonly use XML to transport identity information in Security Assertion Markup Language (SAML) authentication. The XML might look like this:

可扩展标记语言（XML）旨在存储和传输数据。这种标记语言允许开发人员使用类似于 HTML 的树形结构以文本格式定义和表示任意数据结构。例如，Web 应用程序通常使用 XML 在安全声明标记语言（SAML）认证中传输身份信息。XML 可能是这样的：

<saml:AttributeStatement>
  <saml:Attribute Name="username">
    <saml:AttributeValue>
      vickieli
    </saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>

Notice here that unlike HTML, XML has user-defined tag names that let you structure the XML document freely. The XML format is widely used in various functionalities of web applications, including authentication, file transfers, and image uploads, or simply to transfer HTTP data from the client to the server and back.

请注意，与 HTML 不同，XML 具有用户定义的标记名称，使您可以自由地构造 XML 文档。 XML 格式广泛用于 Web 应用程序的各种功能，包括身份验证，文件传输和图像上传，或仅用于在客户端和服务器之间传输 HTTP 数据。

XML documents can contain a document type definition ( DTD) , which defines the structure of an XML document and the data it contains. These DTDs can be loaded from external sources or declared in the document itself within a DOCTYPE tag. For example, here is a DTD that defines an XML entity called file :

XML 文档可以包含一个文档类型定义（DTD），它定义了 XML 文档的结构和它所包含的数据。这些 DTD 可以从外部源加载或在文档中通过 DOCTYPE 标签声明。例如，这是一个定义了一个名为“file”的 XML 实体的 DTD：

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE example [
  <!ENTITY file "Hello!">
]>
<example>&file;</example>

XML entities work like variables in programming languages: any time you reference this entity by using the syntax &file , the XML document will load the value of file in its place. In this case, any reference of &file within the XML document will be replaced by "Hello!" .

XML 实体的工作方式就像编程语言中的变量一样：任何时候你使用 &file 语法引用此实体时，XML 文档都会加载 file 的值来代替它。在这种情况下，XML 文档内的任何 &file 引用都将被替换为“Hello！”。

XML documents can also use external entities to access either local or remote content with a URL. If an entity’s value is preceded by a SYSTEM keyword, the entity is an external entity, and its value will be loaded from the URL. You can see here that the following DTD declares an external entity named file , and the value of file is the contents of file:///example.txt on the local filesystem:

XML 文档也可以使用外部实体来访问具有 URL 的本地或远程内容。如果实体的值前面带有系统关键字，则该实体是外部实体，其值将从 URL 加载。您可以在此处看到以下 DTD 声明了名为 file 的外部实体，而 file 的值是本地文件系统上 file：///example.txt 的内容：

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE example [
  <!ENTITY file SYSTEM "file:///example.txt">
]>
<example>&file;</example>

That last line loads the file entity in the XML document, referencing the contents of the text file located at file:///example.txt .

那最后一行加载了 XML 文档中的文件实体，引用位于 file://example.txt 的文本文件的内容。

External entities can also load resources from the internet. This DTD declares an external entity named file that points to the home page of example.com :

外部实体也可以从互联网加载资源。这个 DTD 声明了一个名为“file”的外部实体，指向 example.com 的主页。

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE example [
  <!ENTITY file SYSTEM "http://example.com/index.html">
]>
<example>&file;</example>

What’s the vulnerability hidden within this functionality? The issue is that if users can control the values of XML entities or external entities, they might be able to disclose internal files, port-scan internal machines, or launch DoS attacks.

这个功能存在哪些漏洞? 问题在于，如果用户可以控制 XML 实体或外部实体的值，则他们可能能够披露内部文件，端口扫描内部计算机或发动 DoS 攻击。

Many sites use older or poorly configured XML parsers to read XML documents. If the parser allows user-defined DTDs or user input within the DTD and is configured to parse and evaluate the DTD, attackers can declare their own external entities to achieve malicious results.

许多网站使用较旧或配置不佳的 XML 解析器来读取 XML 文档。如果解析器允许用户定义 DTD 或在 DTD 内输入用户输入，并配置为解析和评估 DTD，则攻击者可以声明自己的外部实体以实现恶意结果。

For example, let’s say a web application lets users upload their own XML document. The application will parse and display the document back to the user. A malicious user can upload a document like this one to read the /etc/shadow file on the server, which is where Unix systems store usernames and their encrypted passwords:

例如，假设一个 Web 应用程序允许用户上传他们自己的 XML 文档。该应用程序将解析并将文档显示回给用户。恶意用户可以上传这样一个文档来读取服务器上的/etc/shadow 文件，这是 Unix 系统存储用户名及其加密密码的地方。

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE example [
1 <!ENTITY file SYSTEM "file:///etc/shadow">
]>
<example>&file;</example>

Parsing this XML file will cause the server to return the contents of /etc/shadow because the XML file includes /etc/shadow via an external entity 1 .

分析这个 XML 文件将会导致服务器返回/etc/shadow 的内容，因为这个 XML 文件通过一个外部实体 1 包含了/etc/shadow。

Attacks like these are called XML external entity attacks, or XXEs . Applications are vulnerable to XXEs when the application accepts user-supplied XML input or passes user input into DTDs, which is then parsed by an XML parser, and that XML parser reads local system files or sends internal or outbound requests specified in the DTD.

这样的攻击被称为 XML 外部实体攻击或 XXE 攻击。当应用程序接受用户提供的 XML 输入或将用户输入传递到 DTD 中，并由 XML 解析器解析时，应用程序就容易受到 XXE 攻击，XML 解析器会读取本地系统文件或根据 DTD 指定的定义发送内部或外部请求。