Details
Alert Id 90023
Alert Type Active Scan Rule
Status beta
Risk High
CWE 611
WASC 43

Summary

This technique takes advantage of a feature of XML to build documents dynamically at the time of processing. An XML message can either provide data explicitly or by pointing to an URI where the data exists. In the attack technique, external entities may replace the entity value with malicious data, alternate referrals or may compromise the security of the data the server/XML application has access to. Attackers may also use External Entities to have the web services server download malicious code or content to the server for use in secondary or follow on attacks.

Solution

TBA

References

Code

org/zaproxy/zap/extension/ascanrulesBeta/XxeScanRule.java