XXE Injection


Description

The application is vulnerable to XXE injection.The XML standard defines entities which allow an XML parser to retrieve local or remote content via a declared system identifier. An improperly configured XML parser can enable an attacker to use XXE injection to define entities that are external to current XML document.  Allowing an attacker to control the source of content that is loaded into the XML document can lead to a number of attacks including the disclosure of sensitive information.

Impact

XXE injection is a serious vulnerability that allows attackers to access to files and directories outside the XML document. With arbitrary access to the file system, an attacker can access configuration data, passwords, log files, source code, intellectual property, or system files. Besides the disclosure of sensitive data, this attack may lead to a denial of service, enable malicious code execution, or allow the attacker to conduct a, port scan from the perspective of the machine where the parser is located.

Risk Rating

Remediation

How To Test

Sample Report Screenshots

Time Saving Tips

Testing Gotchas

References

 

Subscribe here in order to gain access to the AppSec Findings Database

 

Leave a Reply