DerScanner
Home / Vulnerability Database / C or C++ : XML external entity (XXE injection)
C/C++

C or C++ : XML external entity (XXE injection)

Classification

OWASP Mobile Top 10 2014
M7-Client Side Injection
OWASP ASVS
Validation, Sanitization and EncodingValidation, Sanitization and EncodingValidation, Sanitization and Encoding
PCI DSS 4.0
6.2.4
CWE
CWE-611
CWE/SANS Top 25 2021
CWE-611

Overview

XXE (XML eXternal Entity) attack is possible. An attacker can cause failures in the application work or gain access to sensitive data.

XML provides a mechanism to enable including third-party files’ content into the file via the entity mechanism defined in the DTD (Document Type Definitions). If an external entity is defined in the XML header, the developer is able to use its contents in XML file. Herein validation of external entities at XML parsing phase is not performed.

If the application works with the XML file received from an untrusted source (e.g., user input), an attacker is able to inject malicious or not provided by the application external entity into the XML file, and thus disrupt the functionality of the application.

References

  1. OWASP: Testing for XML Injection
  2. How we got read access on Google’s production servers - blog.detectify.com
  3. Identifying Xml eXternal Entity vulnerability (XXE) - Philippe Arteau / blog.h3xstream.com
CRITICAL

DerScanner Severity Score

Do you want to fix C or C++ : XML external entity (XXE injection) in your application?

See also

C/C++

C or C++ : Dead store

C/C++

C or C++ : Use after free

C/C++

C or C++ : va_list uninitialized