An attacker creates an XML document that with an external entity reference. External entity references can take the form of <!ENTITY name system "uri"> tags in a DTD. Because processors may not validate documents with external entities, there may be no checks on the nature of the reference in the external entity. This can allow an attacker to open arbitrary files or connections.
Survey the target: Using a browser or an automated tool, an attacker records all instances of web services to process XML requests.
Use an automated tool to record all instances of URLs to process XML requests.
Use a browser to manually explore the website and analyze how the application processes XML requests.
Launch an XML Entity Blowup attack: The attacker crafts malicious XML message that contains references to senstive files.
Send the malicious crafted XML message containing the reference to a senstive file to the target URL.
The target must follow external entity references without validating the validity of the reference target.
Typical Likelihood of Exploit
Methods of Attack
The following DTD would attempt to open the /dev/tty device:
<!DOCTYPE doc [ <!ENTITY ent SYSTEM "file:///dev/tty"> ]>
A malicious actor could use this crafted DTD to reveal sensitive information.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
To send XML messages with maliciously crafted DTDs.
None: No specialized resources are required to execute this type of attack.
Solutions and Mitigations
Configure the XML processor to only retrieve external entities from trusted sources.
The XML parsing code in Sun Java Runtime Environment JDK and JRE 6 Update 3 and earlier processes external entity references even when the "external general entities" property is false, which allows remote attackers to conduct XML external entity (XXE) attacks and cause a denial of service or access restricted resources.
More information is available — Please select a different filter.
Page Last Updated or Reviewed:
August 04, 2017
Use of the Common Attack Pattern Enumeration and Classification dictionary and classification taxonomy, and the associated references from this website, are subject to the