Can anyone point me to Microsoft documentation that describes how SharePoint Server 2016 protects against XML External Entity injection attacks as described in the OWASP Top Ten. This recently popped on a netsparker scan for the SP WFE.
The scan recommended to harden the XML reader objects but I don’t think that is acceptable in the SharePoint world. Something like below.
XmlReaderSettings settings = new XmlReaderSettings();
settings.ProhibitDtd = false;
settings.MaxCharactersFromEntities = 1024;
settings.XmlResolver = null;
XmlReader reader = XmlReader.Create(stream, settings);
I am pretty sure this relates to .NET or custom applications not OOTB SharePoint. The following article is what I can find from MS, but it relates to .NET or custom code, not vanilla SharePoint.
Also, the scan didn’t provide a CVE number so I cannot track back to a SharePoint patch. The scan injected an XXE via URL parameter to contact there DNS server Hawk. and it stated that it was successful, but I am not sure that is a valid way to test for this in SharePoint.