An XML External Entity attack is an attack against an application that sends a XML input. This attack is countered when a XML input contains a reference to an external entity. And the entity is processed by a weakly configured XML parser. If a server contains weakly configured XML parser, there is a possibility for XML External Entity attack. The XML External Entity attack leads to the disclosure of confidential data, denial of service, server side request forgery and port scanning.
The below code is a XML resource that cannot be returned.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>
Depending on the back-end database configuration, its privilege setup and the operating system, a hacker can mount one or more of the following type of attacks :
This vulnerability can be fixed by:-