Wednesday, November 9, 2022

On ColdFusion, XXE, and other XML Attacks

An Introduction

This is the first of what may become a few blog posts based on my CFSummit 2022 talk.  Plus with the release of Adobe Security Bulletin APSB22-44 in October -- which fixed some security bugs that I reported and  improved the available ColdFusion XML security options -- I figured this was also a good opportunity to pull together some ColdFusion XML security best practices into one place.

XML data can live in lots of places, beyond the obvious instances of .xml files and XML-like file formats.  RSS Feeds.  REST API requests and responses.  SAML and SOAP messages.  Office Open XML files such as DOCX, XLXS, PPTX, etc.  And several file formats (such as PDF and PNG) include metadata fields that can contain XML.  

If your application consumes and processes XML, then XML eXternal Entities (XXE) is a vulnerability class that you need to be aware of and protect against.