XML External Entity DOS
The XML standard allows the use of DTDs (Document Type Definitions). DTDs are meant to define the legal building blocks of an XML document. One feature of DTDs are the ability to define entities. Entities are variables used to define shortcuts to strings or special characters. Typical examples of predefined entities are the entities used within HTML. When wanting to use the "<" or ">" charcter outside of HTML Tags they have to be replaced by their entities:
- the character ">" has the entity ">"
- the character "<" has the entity "<"
Entities that are not predefined can be declared internal or external.
- internal declaration - the entity is defined within the same document.
- external declaration - the entity is defined in an external document. Only the reference to the external document is given.
When included in a SOAP message, external entities can be used to cause denial of service scenarios by retrieving malicious external content during the parsing process.
NOTE: Since SOAP Version 1.2  external entities are not allowed within SOAP messages any more. However many web services don't implement the standard correctly, that is why they are still vulnerable to this attack. See  for more details: "The XML infoset of a SOAP message MUST NOT contain a document type declaration information item."
NOTE: XML External Entity DOS attacks are a different form ofXML Entity Expansion attacks. XML Entity Expansion attacks aim at creating large documents using DTDs that exhaust the resources of the web service. However XML External Entity DOS attacks aim at exhausting the resources of the attacked web service by "just" retrieving malicious external files.
There are no attack subtypes for this attack.
Prerequisites for attack
In order for this attack to work the attacker has to have knowledge about the following things:
- Attacker knows endpoint of web service. otherwise he is not able to reach the web service.
- Attacker can reach endpoint from its location. Access to the attacked web service is required. If the web service is only available to users within a certain network of a company, the attack is limited.
Graphical representation of attack
- Red = attacked web service component
- Black = location of attacker
- Blue = web service component not directly involved in attack.
We take a modified example taken OWASP Guide "Testing for XML injection" 
<?xml version="1.0"?> <!DOCTYPE order [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///dev/random" > ]> <soap:Envelope xmlns:soap="http://www.w3.org/2001/12/soap-envelope" soap:encodingStyle="http://www.w3.org/2001/12/soap-encoding"> <soap:Body xmlns:m="http://www.example.org/order"> <foo>&xxe;</foo> </soap:Body> </soap:Envelope>
Listing 1: Valid SOAP message
Attack mitigation / countermeasures
If you are sure that your web service framework implements the SOAP 1.2 standard correctly you are not vulnerable to any of these attacks. In case you are not sure, the easiest and most forward way is to manually check prior to parsing whether or not an opening DTD Tag is existent. If that is the case just discard the message.
Categorisation by violated security objective
The attack aims at exhausting the system resources, therefore it violates the security objective Availability.
Categorisation by number of involved parties
Categorisation by attacked component in web service architecture
Categorisation by attack spreading
- Nishchal Bhalla and Sahba Kazerooni.Web services vulnerabilities.http://www.blackhat.com/presentations/bh-europe-07/Bhalla-Kazerooni/Whitepaper/bh-eu-07-bhalla-WP.pdf, February 2007. Accessed 01 July 2010.
- OWASP Foundation. Testing for xml injection. http://www.owasp.org/index.php/Testing_for_XML_Injection_%28OWASP-DV-008%29, January 2010. Accessed 01 July 2010.