An XML External Entity attack is an attack against an application that sends a XML input. This attack is countered when a XML input contains a reference to an external entity. And the entity is processed by a weakly configured XML parser. If a server contains weakly configured XML parser, there is a possibility for XML External Entity attack. The XML External Entity attack leads to the disclosure of confidential data, denial of service, server side request forgery and port scanning.
The below code is a XML resource that cannot be returned.
Depending on the back-end database configuration, its privilege setup and the operating system, a hacker can mount one or more of the following type of attacks :
Reading, updating and deleting arbitrary data/tables from the database
Executing commands on the underlying operating system
Leak of sensitive information.
Denial of service
Server side request forgery
Mitigation / Precaution
This vulnerability can be fixed by:-
Upgrading the framework to the latest version.
Ensuring that the inputs are properly validated.
Beagle Security helps you to proactively secure your web apps & APIs
with automated penetration testing & actionable remediation insights.