I am trying to protect a .NET web service against XXE exploits. For the underlying SOAP message is XML, it is potentially at risk.
A way to prohibit DTD processing for XML documents can be found here and here. However, the XML parsing of the SOAP message is done by the framework.
How can I modify the settings of the XML reader in order to turn off DTD processing?
I also looked for a hook to access the XML content directly, but found nothing appropriate in the documentation of WebService.
I did some tests that showed that ASP.NET web services are protected against XXE attacks. The framework seems to switch off DTD processing by default.
I used Soap UI for testing. Just adding a DOCTYPE definition like
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root[
<!ENTITY laugh "hahahahaha">
]>
resulted in a bad request error (HTTP Status 400).
To make sure that I did not just mess up the SOAP-Message, I also validated the XML content separately.