XML External Entity

critical Web App Scanning Plugin ID 98113

Language:

Synopsis

XML External Entity

Description

An XML External Entity attack is a type of attack against an application that parses XML input.

This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.

This attack may lead to the disclosure of confidential data, denial of service, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Solution

Since the whole XML document is communicated from an untrusted client, it's not usually possible to selectively validate or escape tainted data within the system identifier in the DTD.
Therefore, the XML processor should be configured to use a local static DTD and disallow any declared DTD included in the XML document.

See Also

https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html

Plugin Details

Severity: Critical

ID: 98113

Type: remote

Family: Injection

Published: 3/31/2017

Updated: 4/8/2022

Scan Template: api, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 9.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Critical

Base Score: 9.3

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information

CWE: 611

OWASP: 2010-A1, 2013-A1, 2017-A4, 2021-A5

WASC: XML External Entities

CAPEC: 221

DISA STIG: APSC-DV-002550

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-SI-10

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-5.5.2

PCI-DSS: 3.2-6.5.1