XML external entity attack

An XML External Entity (XXE) attack[1][2] is a type of computer security vulnerability typically found in Web applications. XXE enables attackers to disclose normally protected files from a server or connected network.

The XML standard includes the idea of an external general parsed entity (an external entity). During parsing of the XML document, the parser will expand these links and include the content of the URI in the returned XML document.

Example external entity attack:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE test [ 
    <!ENTITY xxeattack SYSTEM "file:///etc/passwd"> 
]>
<xxx>&xxeattack;</xxx>

See also

References


This article is issued from Wikipedia - version of the 4/14/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.