XML external entity attack

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

An XML External Entity (XXE) attack[1][2] is a type of computer security vulnerability typically found in Web applications. XXE enables attackers to disclose normally protected files from a server or connected network.

The XML standard includes the idea of an external general parsed entity (an external entity). During parsing of the XML document, the parser will expand these links and include the content of the URI in the returned XML document.

The Open Web Application Security Project (OWASP) listed XML External Entity attacks as 4th on their 2017 Top 10 Web Security Risks.[3] The risk rating is a combination of likelihood and impact, not necessarily how commonly this vulnerability has been exploited.[4] The previous OWASP Top 10, which came out in 2014, did not include XXE.

Example external entity attack:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE test [ 
    <!ENTITY xxeattack SYSTEM "file:///etc/passwd"> 
]>
<xxx>&xxeattack;</xxx>

See also[edit]

References[edit]