DerScanner
Home / Vulnerability Database / JavaScript : XML external entity (XXE) injection
JavaScript

JavaScript : XML external entity (XXE) injection

Classification

OWASP Top 10 2013
A1-Injection
OWASP Top 10 2017
A1-InjectionA4-XML External Entities (XXE)
OWASP Top 10 2021
A3-InjectionA5-Security Misconfiguration
OWASP ASVS
Validation, Sanitization and EncodingValidation, Sanitization and EncodingValidation, Sanitization and Encoding
PCI DSS 4.0
6.2.4
CWE
CWE-611CWE-1027
CWE/SANS Top 25 2021
CWE-611

Overview

XXE (XML eXternal Entity) attack is possible. An attacker can cause failures in the application work or gain access to sensitive data.

XML provides a mechanism to enable including third-party files’ content into the file via the entity mechanism defined in the DTD (Document Type Definitions). If the external entity is defined in the XML header, the developer is able to use its contents in XML file. Herein validation of external entities at XML parsing phase is not performed.

If the application works with the XML file received from an untrusted source (for example, from the data entered by a user), the attacker is able to inject malicious or not provided by the application external entity into the XML file, and thus disrupt the functionality of the application.

References

  1. OWASP Top 10 2017-A1-Injection
  2. OWASP: Testing for XML Injection
  3. How we got read access on Google’s production servers – blog.detectify.com
  4. Identifying Xml eXternal Entity vulnerability (XXE) – Philippe Arteau / blog.h3xstream.com
  5. CWE CATEGORY: OWASP Top Ten 2017 Category A1 - Injection
CRITICAL

DerScanner Severity Score

Do you want to fix JavaScript : XML external entity (XXE) injection in your application?

See also

JavaScript

JavaScript : Null salt

JavaScript

JavaScript : Empty encryption key

JavaScript

JavaScript : Unsafe Azure access control