XML External Entity (XXE) Injection



Description

XML external entity (XXE) injection vulnerabilities occur when the XML processor allows the attacker to control data loaded into the XML document as "external entities." Some XML processors support a feature called "external entities" that allows loading XML data from a URI as a part of the document. If the attacker can define the URI from which the data is loaded, they can manipulate the data that gets loaded into the XML document. Thus, the attacker can potentially load arbitrary files on the server of their choosing into the document and be able to read them.

XML external entity injection vulnerabilities affect applications that use XML and have the "external entity" function enabled.

Impact

The impact of XML external entity injection vulnerabilities is information disclosure. XXE injection allows the attacker to read arbitrary files that can be loaded by the XML parser into the document. The attacker might be able to leverage this vulnerability to read settings from configuration files. If configuration files contain plain-text passwords for the database or the application, the attacker might be able to compromise the application and/or the database server. In practice, leveraging XXE injection for additional access is non-trivial and requires additional vulnerabilities, making it an impractical but real vulnerability.

Countermeasures

To prevent XML external entity injection vulnerabilities, disable the "external entities" feature.

Application Check

To check for adequate protection against this vulnerability, verify that the "external entities" feature is disabled.

!Have a comment about this article? Send our team an email.