XML external entity injections are a type of vulnerability that has become very popular in recent years, in fact it is now part of the OWASP Top 10 at point A4. Basically it is a type of attack against an application that parses the XML inputs. Broadly speaking, Document Type Definition and DTDs are used to define the structure of an XML document and within them XML entities can be declared.
There are different types of XML attacks which would be:
▸XXE In-Band: Creation of an entity by accessing the URI and returning the content in the response.
▸XXE Out-Of-Band: Creation of an entity accessing the URI and exfiltrating this data externally, either by DNS, FTP, HTTP, etc.
The impacts that these vulnerabilities can give can be very dangerous and that is why they are in the Top 10 OWASP vulnerabilities.
Critical information leak: As it is possible to access local content, the attacker can filter the information of a file either through a response from the server or an FTP connection by sending requests with its content. In this way, the attacker will obtain, for example, the users used on the server that parses the XML content.
Credential leak: By being able to filtrate information from files, the attacker can choose to go for known files with credentials, either / etc / shadow or a private key in the ssh directory.
Denial of service: There are different methods to do a denial of service in the system, one of them is the recursive repetition of system calls.
Related topics:
PHP Vulnerabilities and risks
SQL Injection – How these attacks can affect us
