XML it self isn’t very dangerous but when you wanna process it you need to parse it and if the parser is poorly configurated it’s a security risk.
XML have a mechanism called Document Type Definition (DTD) where it can reference internal and external entities. By using internal reference it’s possible to perform a denial-of-service (DoS) attack most popular one called Billion laughs attack. And by using external references (XXE) the parser can leak and/or alter internal information.
One solution is to not use XML at all, but instead use simpler format like json. If that isn’t an option you have to make sure DTD is disabled on the XML parser that is being used.
There is a lot of usage of XML in the Framework not only the direct classes that handles XML. SOAP for example uses XML as it’s protocol and therefore it has parser issues prior to SOAP 1.2. So if you have an WCF service (that uses SOAP as default) make sure it uses SOAP 1.2 and not SOAP 1.1 on its endpoints (bindings). WSHttpBinding is safe since it uses SOAP 1.2 but BasicHttpBinding uses SAOP 1.1. Also custom bindings can be configured to use SOAP 1.1.
There is a great number of classes in the .NET Framework that processes XML so you have to look up the ones that you use and see if they have DTD parsing on by default or not. To help you out I have made a list on the most common and their status:
- XElement safe since it not process xxe instructions at all
- XDocument only unsafe if you change the parser through the constructor
- XmlReader safe with ProhibitDtd set to true by default
- XmlNodeReader also doesn’t process xxe instructions
- XmlDocument is safe from .NET Framework 4.5.2 and up, on lower versions you need to set the XmlResolver property to null explicitly
Lock up your xml class in the documentation don’t forget to change to your targeted framework, there are several classes that are unsafe prior to 4.5.2 like XmlTextReader and XPathNavigator. If you like to google it good keywords are DTD and XXE.
Do you miss any common xml parser classes in my shortlist? Tell me about it on twitter.