XML EXternal Entity injection

OWASP 2013-A1 OWASP 2017-A4 OWASP 2021-A5 OWASP 2019-API8 PCI v3.2-6.5.1 OWASP PC-C3 CAPEC-376 CWE-611 ISO27001-A.14.2.5 WASC-43 WSTG-INPV-07

An XML External Entity attack is an attack against an application that sends a XML input. This attack is countered when a XML input contains a reference to an external entity. And the entity is processed by a weakly configured XML parser. If a server contains weakly configured XML parser, there is a possibility for XML External Entity attack. The XML External Entity attack leads to the disclosure of confidential data, denial of service, server side request forgery and port scanning.

Example

The below code is a XML resource that cannot be returned.

    <?xml version="1.0" encoding="ISO-8859-1"?>
      <!DOCTYPE foo [ 
      <!ELEMENT foo ANY >
      <!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>

  

Impact

Depending on the back-end database configuration, its privilege setup and the operating system, a hacker can mount one or more of the following type of attacks :

  • Reading, updating and deleting arbitrary data/tables from the database
  • Executing commands on the underlying operating system
  • Leak of sensitive information.
  • Denial of service
  • Server side request forgery
  • Port forwarding

Mitigation / Precaution

This vulnerability can be fixed by:-

  • Upgrading the framework to the latest version.
  • Ensuring that the inputs are properly validated.




Latest Articles