Research on XML eXternal Entity Injection (XXE)-Cyber Sapiens Internship Task-10

What is XXE?

An XML External Entity (XXE) attack (sometimes called an XXE injection attack) is a type of attack that abuses a widely available but rarely used feature of XML parsers.

What are Entities?

An entity is a piece of XML code that can be used and reused, again and again in a document by referencing it. It’s a sort of symbolic representation of information.

Why XXE Occurs?

XXE occurs due to the ability of XXE parser to retrieve any information suggested from the whole internet.

Types of Attacks via XXE?

1. LFI via XXE: An attacker can create make the following request using a URI (known in XML as the system identifier). If the XML parser is configured to process external entities (by default, many popular XML parsers are configured to do so), the web server will return the contents of a file on the system, potentially containing sensitive data.

LFI via XXE
DoS via XXE

Types of XXE:

There are basically two types of XXE:

How to mitigate XXE?

Virtually all XXE vulnerabilities arise because the application’s XML parsing library supports potentially dangerous XML features that the application does not need or intend to use. The easiest and most effective way to prevent XXE attacks is to disable those features.

References:

https://www.acunetix.com/blog/articles/xml-external-entity-xxe-vulnerabilities/

Profile Links:

Twitter: https://twitter.com/PrajitSindhkar?s=08

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Prajit Sindhkar

Prajit Sindhkar

I am a India Based Security Researcher, Bugcrowd Top 500 Hacker and Bug Bounty Leader of the BUGXS Community