| Details | |
|---|---|
| Alert ID | 90023 |
| Alert Type | Active |
| Status | release |
| Risk | High |
| CWE | 611 |
| WASC | 43 |
| Technologies Targeted | All |
| Tags |
CWE-611 HIPAA OUT_OF_BAND OWASP_2017_A04 OWASP_2021_A03 PCI_DSS POLICY_API POLICY_DEV_CICD POLICY_DEV_FULL POLICY_DEV_STD POLICY_PENTEST POLICY_QA_FULL POLICY_QA_STD POLICY_SEQUENCE WSTG-V42-INPV-07 |
| More Info |
Scan Rule Help |
Summary
This technique takes advantage of a feature of XML to build documents dynamically at the time of processing. An XML message can either provide data explicitly or by pointing to an URI where the data exists. In the attack technique, external entities may replace the entity value with malicious data, alternate referrals or may compromise the security of the data the server/XML application has access to. Attackers may also use External Entities to have the web services server download malicious code or content to the server for use in secondary or follow on attacks.
Solution
XML External Entities vulnerabilities arise because the application's XML parsing library supports potentially dangerous XML features. To prevent XML External Entities vulnerabilities disable the resolution of external entities and the support for XInclude.Other Info
References
- https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
- https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
- https://cwe.mitre.org/data/definitions/611.html