Javascript Noent True Allows Xxe
Description
Detects misconfigured XML parsers in JavaScript code that enable XXE (XML External Entity) attacks. When XML parsers are configured with noent=true, they allow processing of external entities which can lead to server-side request forgery (SSRF), information disclosure, or denial of service attacks.
Detection Strategy
• Identifies JavaScript XML parser configurations and initialization calls
• Checks if the XML parser options include 'noent' parameter set to true
• Reports a vulnerability when XML parsing is configured to process external entities
• Focuses on common XML parsing libraries and their configuration objects
Vulnerable code example
const libxmljs = require("libxmljs");
function parseXML(xmlInput) {
const config = {
noent: true // Vulnerable: enables external entity expansion
};
// Vulnerable: processes external entities due to noent:true...✅ Secure code example
const libxmljs = require("libxmljs");
function parseXML(xmlInput) {
const config = {
noent: false, // Safe: explicitly disable external entity expansion
noblanks: true // Optional: removes blank nodes
};
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.