How to prevent XXE attack (XmlSerializer in .Net)

时间:2016-04-15 15:03:46

标签: xml vb.net xml-parsing veracode xxe

We had a Veracode security audit on some old legacy apps and found that we are vulnerable to an External Entity (XXE) attack. I have fixed most of the problems but I've ran across some code I have no idea how to deal with and I am hoping someone here can give me some direction. Here is the associated code:

...
Dim authTicket As FormsAuthenticationTicket
authTicket = FormsAuthentication.Decrypt(authCookie.Value)
Dim xml As String = authTicket.UserData
Dim authObj As Object = Nothing
Dim serializer As System.Xml.Serialization.XmlSerializer = Nothing

If xml.Contains("<CensusLoginInfo") Then
   serializer = New System.Xml.Serialization.XmlSerializer(GetType(MoHWoRXCensus_Business.CensusLoginInfo))
End If
If serializer IsNot Nothing Then
    authObj = serializer.Deserialize(New IO.StringReader(xml))
    rl.Add("Provider") 'mark this user as a provider since they've logged in
End If
....

the problem is with this piece of code:

serializer = New System.Xml.Serialization.XmlSerializer(GetType(MoHWoRXCensus_Business.CensusLoginInfo))

According to Veracode, the problem with the above snippet is "Improper Restriction of XML External Entity Reference ('XXE')". According to the CWE list this means "The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output."

I do not know what I have to do with the code to fix it.

0 个答案:

没有答案