|Join hundreds of other Developers and InfoSec professionals for Training, Sessions and Community at our first conference of 2019|
[AppSec Tel Aviv, May 26-30th]
Top 10-2017 A4-XML External Entities (XXE)
|Threat Agents / Attack Vectors||Security Weakness||Impacts|
|App Specific||Exploitability: 2
|Attackers can exploit vulnerable XML processors if they can upload XML or include hostile content in an XML document, exploiting vulnerable code, dependencies or integrations.||
By default, many older XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing.
SAST tools can discover this issue by inspecting dependencies and configuration. DAST tools require additional manual steps to detect and exploit this issue. Manual testers need to be trained in how to test for XXE, as it not commonly tested as of 2017.
These flaws can be used to extract data, execute a remote request from the server, scan internal systems, perform a denial-of-service attack, as well as execute other attacks.
The business impact depends on the protection needs of all affected application and data.
Applications and in particular XML-based web services or downstream integrations might be vulnerable to attack if:
Developer training is essential to identify and mitigate XXE. Besides that, preventing XXE requires:
If these controls are not possible, consider using virtual patching, API security gateways, or Web Application Firewalls (WAFs) to detect, monitor, and block XXE attacks.
Numerous public XXE issues have been discovered, including attacking embedded devices. XXE occurs in a lot of unexpected places, including deeply nested dependencies. The easiest way is to upload a malicious XML file, if accepted:
Scenario #1: The attacker attempts to extract data from the server:
Scenario #2: An attacker probes the server's private network by changing the above ENTITY line to:
Scenario #3: An attacker attempts a denial-of-service attack by including a potentially endless file: