XML External Entity

high Web Application Scanning Plugin ID 98113

Language:

Synopsis

XML External Entity

Description

An XML External Entity attack is a type of attack against an application that parses XML input.

This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.

This attack may lead to the disclosure of confidential data, denial of service, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Solution

Since the whole XML document is communicated from an untrusted client, it's not usually possible to selectively validate or escape tainted data within the system identifier in the DTD.
Therefore, the XML processor should be configured to use a local static DTD and disallow any declared DTD included in the XML document.

See Also

https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing

Plugin Details

Severity: High

ID: 98113

Type: remote

Family: Injection

Published: 3/31/2017

Updated: 4/8/2022

Scan Template: api, scan, pci

Risk Information

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: Tenable

CVSS v3

Risk Factor: High

Base Score: 7.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS Score Source: Tenable

Reference Information