Xml External Entities with Hmac Signatures

Xml External Entities (XXE) attacks exploit XML parsers that process external entity references, allowing attackers to read arbitrary files, access internal services, or cause denial of service. In HMAC signature implementations, XXE vulnerabilities often appear in XML-based message signing and verification workflows.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >
]>
<foo>&xxe;</foo>

When HMAC signatures are generated or verified using XML documents, an XXE vulnerability can compromise the integrity of the entire signing process. Consider a payment processing API that receives XML requests with HMAC-SHA256 signatures:

// Vulnerable HMAC XML verification
const xml2js = require('xml2js');
const crypto = require('crypto');

function verifyHmac(xml, expectedSignature) {
  const parser = new xml2js.Parser();
  parser.parseString(xml, (err, result) => {
    const data = result.payment.amount + result.payment.currency;
    const hmac = crypto.createHmac('sha256', process.env.SECRET_KEY)
                      .update(data)
                      .digest('hex');
    return hmac === expectedSignature;
  });
}

The vulnerability occurs because the XML parser processes external entities before the HMAC verification logic executes. An attacker can craft a request that reads sensitive files and includes their contents in the XML structure, then generate a valid HMAC for the manipulated payload:

<payment>
  <amount>100</amount>
  <currency>USD</currency>
  <description>&xxe;</description>
</payment>

Even if the HMAC signature verifies correctly for the manipulated XML, the application processes data that includes sensitive information exfiltrated through the XXE channel. This breaks the fundamental security assumption that a valid HMAC guarantees message integrity.

Another manifestation occurs in XML canonicalization (C14N) processes used before HMAC generation. Many HMAC implementations require XML canonicalization to ensure consistent byte representations across different systems. If the canonicalization process processes external entities, attackers can manipulate the canonical form:

<!-- XXE in XML canonicalization -->
<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "http://internal-service:8080/config" >
]>
<request>
  <data>valid data&xxe;</data>
</request>

The canonicalization process resolves the external entity reference, potentially including internal network configuration or secrets in the byte stream that gets HMAC-signed. The resulting signature appears valid, but the message content has been manipulated through the XXE vector.

Detecting XXE vulnerabilities in HMAC signature implementations requires examining both the XML processing pipeline and the cryptographic verification logic. Start by auditing XML parser configurations across your codebase:

# Check for vulnerable XML parser usage
find . -name "*.js" -o -name "*.py" -o -name "*.java" | xargs grep -n "xml2js\|xml.etree\|DocumentBuilderFactory"

Look for configurations that enable external entity processing. In Java, the vulnerable pattern looks like:

// Vulnerable: allows external entities
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
DocumentBuilder builder = factory.newDocumentBuilder();
Document doc = builder.parse(inputStream);

The secure configuration explicitly disables external entities:

// Secure: disables external entities
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
DocumentBuilder builder = factory.newDocumentBuilder();

For HMAC-specific detection, examine the XML canonicalization step if present. Many implementations use libraries like Apache Santuario for XML Signature processing:

<!-- Check for external DTD references in XML Signatures -->
<SignedInfo>
  <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
  <Reference URI="#data">
    <Transforms>
      <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
    </Transforms>
  </Reference>
</SignedInfo>

Automated scanning with middleBrick can identify XXE vulnerabilities in HMAC signature endpoints. The scanner tests for external entity processing by submitting payloads with various XXE patterns and analyzing the server's response behavior:

# Scan HMAC signature endpoint with middleBrick
middlebrick scan https://api.example.com/v1/payments/signature \
  --test xxe \
  --test hmac-integrity

The scanner evaluates whether the endpoint processes external entities, whether XML canonicalization reveals internal data, and whether HMAC verification can be bypassed through XML manipulation. It provides specific findings with severity levels and remediation guidance.

Network-level detection can identify XXE attempts through monitoring for outbound connections from XML processing services. Set up intrusion detection rules to flag unexpected HTTP/S requests originating from your application servers during XML processing operations.

Remediating XXE vulnerabilities in HMAC signature implementations requires a defense-in-depth approach that addresses both XML processing and cryptographic verification. Start with secure XML parser configuration:

// Secure XML parsing for HMAC workflows
const { parseString } = require('xml2js');

function secureParse(xml, callback) {
  const parser = new parseString({
    strict: true,
    explicitArray: false,
    mergeAttrs: true,
    validator: (xml, callback) => {
      // Block external entities
      if (xml.includes('&')) {
        return callback(new Error('External entities not allowed'));
      }
      callback(null);
    }
  });
  parser.parseString(xml, callback);
}

For Java implementations using XML Signature, apply the following secure configuration:

import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.crypto.dsig.*;
import java.security.Key;

public class SecureHmacXmlSigner {
  public static XMLSignatureFactory createSecureFactory() {
    XMLSignatureFactory factory = XMLSignatureFactory.getInstance("DOM");
    
    // Create secure document builder
    DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
    dbFactory.setNamespaceAware(true);
    dbFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
    dbFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
    dbFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
    
    return factory;
  }
  
  public static boolean verifyHmacSignature(String xml, String expectedSignature, Key hmacKey) {
    try {
      // Parse XML securely
      DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
      dbFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
      dbFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
      Document doc = dbFactory.newDocumentBuilder().parse(new InputSource(new StringReader(xml)));
      
      // Extract canonical form without external entities
      String canonicalXml = canonicalizeSecurely(doc);
      
      // Generate HMAC
      Mac hmac = Mac.getInstance("HmacSHA256");
      hmac.init(hmacKey);
      byte[] computedHash = hmac.doFinal(canonicalXml.getBytes(StandardCharsets.UTF_8));
      
      // Compare securely
      return MessageDigest.isEqual(computedHash, hexToBytes(expectedSignature));
    } catch (Exception e) {
      return false;
    }
  }
}

Implement input validation that rejects XML documents containing suspicious patterns before processing:

import re

def validate_xml_for_hmac(xml_content):
    """Validate XML before HMAC processing"""
    # Block DTD declarations
    if re.search(r'DOCTYPE\s+\w+', xml_content, re.IGNORECASE):
        raise ValueError("DTD declarations not allowed")
    
    # Block external entity references
    if re.search(r'\&\w+;', xml_content):
        raise ValueError("External entity references not allowed")
    
    # Block XML comments that might hide malicious content
    if '' in xml_content:
        raise ValueError("XML comments not allowed")
    
    return True

For applications that must process XML but need HMAC security, consider switching to JSON for message signing, which eliminates the XXE attack surface entirely:

// JSON-based HMAC signing (more secure alternative)
function signJsonPayload(payload, secretKey) {
  const json = JSON.stringify(payload);
  const hmac = crypto.createHmac('sha256', secretKey)
                    .update(json)
                    .digest('hex');
  return { payload, signature: hmac };
}

function verifyJsonPayload(signed, secretKey) {
  const computedHmac = crypto.createHmac('sha256', secretKey)
                            .update(JSON.stringify(signed.payload))
                            .digest('hex');
  return computedHmac === signed.signature;
}

Deploy runtime application self-protection (RASP) rules that monitor XML processing operations and block suspicious patterns. Configure web application firewalls to inspect XML payloads for XXE indicators before they reach your application servers.