Details
Alert ID 90023
Alert Type Active
Status release
Risk High
CWE 611
WASC 43
Technologies Targeted All
Tags CWE-611
OUT_OF_BAND
OWASP_2017_A04
OWASP_2021_A03
POLICY_API
POLICY_DEV_CICD
POLICY_DEV_FULL
POLICY_DEV_STD
POLICY_QA_FULL
POLICY_QA_STD
POLICY_SEQUENCE
WSTG-V42-INPV-07
More Info Scan Rule Help

Summary

This technique takes advantage of a feature of XML to build documents dynamically at the time of processing. An XML message can either provide data explicitly or by pointing to an URI where the data exists. In the attack technique, external entities may replace the entity value with malicious data, alternate referrals or may compromise the security of the data the server/XML application has access to. Attackers may also use External Entities to have the web services server download malicious code or content to the server for use in secondary or follow on attacks.

Solution

XML External Entities vulnerabilities arise because the application's XML parsing library supports potentially dangerous XML features. To prevent XML External Entities vulnerabilities disable the resolution of external entities and the support for XInclude.

Other Info

References

Code

org/zaproxy/zap/extension/ascanrules/XxeScanRule.java