What is an XXE (XML External Entity) attack?
Any application that parses XML input can become prey for an XXE (XML External Entity) attack. An XML parser of a weak configuration is more vulnerable to such attack because it becomes open to threats when it processes the XML input having a reference to an external entity. An XXE attack can leak some confidential data, DOS (denial of service), port scanning of the machine having a parser, and forgery in server side request, having severe impacts. An XML document has a standard, and its version 1.0 defines the term ‘entity’ that refers to a storage unit of a particular type
The entities are of different types like the parameter parsed, or external general entity (abbreviation – ‘external entity’) can dereference (access) remote and local content through a system identifier. An XML processor accesses the URL/URI to while processing the external entity. Later on, the XML processor substitutes the named external entities at all occurrences by the content accessed by the system identifier. If the data in the system identifier has some infections, then the XML processor can reveal any confidential information after dereferencing this infected data. Usually, this sensitive information is not accessible by the application, but due to the attack, it gets vulnerable. Similar external resource insertion attacks are possible where the use of external stylesheets, schemas, DTDs (Document Type Definition), etc. is made
The attacks can comprise and reveal local files having sensitive data like a user’s private data or passwords by utilising files like relative paths or schemes in the system identifier. A hacker can use the trusted application to hinge at other internal systems, probably showing other confidential content; by initiating a CSRF attack for any one of the insecure internal services or through HTTP(S) requests
No comments:
Post a Comment