XML injection (XXE)
Description
It is possible to inject XML code into the application's requests, which is then interpreted by the server. This could allow an attacker to perform data exfiltration or execute commands remotely.
Impact
Perform various attacks that compromise the confidentiality, integrity and availability of the system.
Recommendation
Filter the information that is received and sent by the application through white lists.
Threat
Authenticated attacker from the Internet.
Expected Remediation Time
⏱️ 60 minutes.
Requirements
173 - Discard unsafe inputsRules
Java Saxbuilder Xxe Insecure SetupJava External Entities EnabledJava Xml Validator Xxe Insecure SetupJava Xxe Insecure Validator Dom4jTypescript Xml External EntityJava Xml External Entity InjectionPython Xxe Via Resolve EntitiesJava External Entities Enabled XmlstreamTypescript Noent True Allows XxePhp Xxe Entity Expansion EnabledKotlin Xxe Unprotected Xml ParserC Sharp Xxe Dtdprocessing ParseC Sharp Xxe Resolver UsageJava Xslt Processor Insecure ConfigJavascript Noent True Allows XxeJava Transformer Factory Insecure SetupScala Xxe Via InputfactoryC Sharp External Entity In XsltC Sharp Schema By Url