XML External Entity (XXE) Injection Analyzer
Configuration Name: XXEInjection
Description
XML External Entity (XXE) Injection Analyzer detects injection attack vulnerabilities in an API by issuing requests that contain XML External Entity attack vectors that target XML parsers. The analyzer only performs checks for SOAP APIs.
An application is vulnerable to XML External Entity injection attacks if its XML parser resolves external entities or supports XInclude. This weakness can be exploited by an attacker by sending attack vectors in a request. OWASP classifies Injection as #8 in its 2019 API Security Top 10 (API8:2019).
Configuration Parameters
The XXEInjection analyzer has one optional configuration parameter that
may be specified when using the analyzer in a configuration. By default, the
analyzer only sends attacks in request fields that are string type.
Optionally, attacks may be sent in all fields (regardless of type).
allFields(boolean): When true, attack vectors are sent in all input fields.
Example Configuration
testProfile:
analyzers:
- kind: XXEInjection
allFields: false
Faults Reported
| Fault Identifier | Title | Summary | Solution | Severity |
|---|---|---|---|---|
| CWE-611 | Improper Restriction of XML External Entity Reference | The application processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. | Application should configure XML parser to disable resolution of external entities and disable support for XInclude. | high |