How can I protect .NET Web Services against XXE exploits?

Question

I am trying to protect a .NET web service against XXE exploits. For the underlying SOAP message is XML, it is potentially at risk.

A way to prohibit DTD processing for XML documents can be found here and here. However, the XML parsing of the SOAP message is done by the framework.

How can I modify the settings of the XML reader in order to turn off DTD processing?

I also looked for a hook to access the XML content directly, but found nothing appropriate in the documentation of WebService.

score 1 · Accepted Answer · answered Dec 16 '16 at 09:47

I did some tests that showed that ASP.NET web services are protected against XXE attacks. The framework seems to switch off DTD processing by default.

I used Soap UI for testing. Just adding a DOCTYPE definition like

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root[ 
<!ENTITY laugh "hahahahaha">
]>

resulted in a bad request error (HTTP Status 400).

To make sure that I did not just mess up the SOAP-Message, I also validated the XML content separately.

How can I protect .NET Web Services against XXE exploits?

1 Answers1