XML External Entity

High Web Application Scanning Plugin ID 98113

Synopsis

XML External Entity

Description

An XML External Entity attack is a type of attack against an application that
parses XML input.

This attack occurs when XML input containing a reference to an external entity is
processed by a weakly configured XML parser.

This attack may lead to the disclosure of confidential data, denial of service,
port scanning from the perspective of the machine where the parser is located,
and other system impacts.

Solution

Since the whole XML document is communicated from an untrusted client, it's not usually possible to selectively validate or escape tainted data within the system identifier in the DTD.
Therefore, the XML processor should be configured to use a local static DTD and disallow any declared DTD included in the XML document.

See Also

https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing

Plugin Details

Severity: High

ID: 98113

Type: remote

Family: Injection

Published: 2017/03/31

Updated: 2017/10/16

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3.0

Base Score: 7.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Reference Information

CWE: 611

WASC: XML External Entities

OWASP: 2017-A4, 2013-A1, 2010-A1