Summary

Netsparker detected an XML External Entity (XXE) injection that made DNS request(s) to Netsparker Hawk. An XML External Entity attack is a type of attack against an application that parses XML input.

Impact
This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser and it may lead to the disclosure of confidential data, denial of service, port scanning from the perspective of the machine where the parser is located.

Netsparker performed an attack to make a request to an arbitrary server and successfully received the request at the Netsparker Hawk.

Remediation

Please see the following code snippets for the most used programming languages and libraries:

  • StAX and XMLInputFactory

    Set the javax.xml.stream.isSupportingExternalEntities property to false.
    
  • .NET 3.5


    XmlReaderSettings settings = new XmlReaderSettings();
    settings.ProhibitDtd = true;
    XmlReader reader = XmlReader.Create(stream, settings);
    
  • .NET 4.0

    XmlReaderSettings settings = new XmlReaderSettings();
    settings.DtdProcessing = DtdProcessing.Prohibit;
    XmlReader reader = XmlReader.Create(stream, settings);
    
  • PHP

    libxml_disable_entity_loader(true);
    
Classifications
PCI v3.1-6.5.1, PCI v3.2-6.5.1, CAPEC-376, WASC-43, OWASP 2013-A1 , CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:H
Vulnerability Index

Vulnerability Index

You can search and find all vulnerabilities

Select Category

OR

Search Vulnerability

Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

GET A DEMO