XML External Entity
high Web Application Scanning Plugin ID 98113
Language:
Synopsis
XML External EntityDescription
An XML External Entity attack is a type of attack against an application that parses XML input.This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.
This attack may lead to the disclosure of confidential data, denial of service, port scanning from the perspective of the machine where the parser is located, and other system impacts.
Solution
Since the whole XML document is communicated from an untrusted client, it's not usually possible to selectively validate or escape tainted data within the system identifier in the DTD.Therefore, the XML processor should be configured to use a local static DTD and disallow any declared DTD included in the XML document.
See Also
https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
Plugin Details
Severity: High
ID: 98113
Type: remote
Family: Injection
Published: 3/31/2017
Updated: 4/8/2022
Scan Template: pci, api, scan
Risk Information
VPR
Risk Factor: Low
Score: 3.4
CVSS v2
Risk Factor: High
Base Score: 7.5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS Score Source: Tenable
CVSS v3
Risk Factor: High
Base Score: 7.3
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVSS Score Source: Tenable
Reference Information
OWASP: 2010-A1, 2013-A1, 2017-A4, 2021-A5
CWE: 611
WASC: XML External Entities
OWASP API: 2019-API7
HIPAA: 164.306(a)(1), 164.306(a)(2)
ISO: 27001-A.14.2.5
PCI-DSS: 3.2-6.5.1
CAPEC: 221
DISA STIG: APSC-DV-002550
OWASP ASVS: 4.0.2-5.5.2
NIST: sp800_53-SI-10