C-sharp : XML external entity (XXE) injection
Classification
OWASP Top 10 2013 A1-Injection OWASP Top 10 2017 A1-Injection A4-XML External Entities (XXE) OWASP Top 10 2021 A3-Injection A5-Security Misconfiguration OWASP ASVS Validation, Sanitization and Encoding Validation, Sanitization and Encoding Validation, Sanitization and Encoding PCI DSS 4.0 6.2.4 CWE CWE-611 CWE-1027 CWE/SANS Top 25 2021 CWE-611Overview
XXE (XML eXternal Entity) attack is possible. An attacker can cause failures in the application work or gain access to sensitive data.
XML provides a mechanism to enable including third-party files’ content into the file via the entity mechanism defined in the DLD (Document Type Definitions). If the external entity is defined in the XML header, the developer is able to use its contents in XML file. Herein validation of external entities at XML parsing phase is not performed.
If the application works with the XML file received from an untrusted source (for example, from the data entered by a user), the attacker is able to inject malicious or not provided by the application external entity into the XML file, and thus disrupt the functionality of the application.