Net is to use the System.
XmlDocument classes. The XmlDocument class consumes XML and creates an internal
representation of the document known as a Document Object Model (DOM). The DOM
allows developers to manipulate the document easily, whether by performing XPath
queries or by navigating the document in a hierarchical manner. Unfortunately, the
methods used by the XmlDocument to load XML have insecure defaults and are therefore
vulnerable to external entity and entity expansion attacks.
Forcing the Application Server to Become
Unavailable when Parsing XML
Popularity: 4
Simplicity: 8
Impact: 6
Risk Rating: 6
Consider the functions in the following example, which create a DOM from XML
supplied from either a file or from the user as a string. The latter case is common in web
applications that handle data from users and use XML to serialize state.
///
/// Loads xml from a file, returns the loaded XmlDocument
/// ///
URI of file containing Xml
///
Loaded XmlDocument objectpublic XmlDocument InSecureXmlFileLoad(string xmlFile)
{
XmlDocument xmlDocument = new XmlDocument();
xmlDocument.Load(xmlFile);
return xmlDocument;
}
///
/// Loads xml from a string.
Pages:
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232