XML external entity injection via REST APIs

The new version of Acunetix Web Vulnerability scanner comes with improved support for scanning REST APIs.

When Acunetix WVS finds an REST API definition (via a WADL file or from Acunetix DeepScan) it also scans this API resource for XML external entity injection vulnerabilities.

If it receives a REST API resource from Acunetix DeepScan and normally this resource accepts JSON content type (application/json), it’s possible that the REST backend supports other content types, so the scanner will try various XML content types looking for XXE (XML external entity injection) vulnerabilities.

Let’s take this test web application:

REST API Acunetix DeepScan enabled

REST API Acunetix DeepScan enabled

In this case, the crawler has identified a REST API resource that accepts JSON input. However, the REST API also permits the same resource sent with an XML content type.

So, when we scan this web application with Acunetix WVS v10, the scanner issues an XML external entity injection alert:

XXE via REST API

XXE via REST API

Share this post

Leave a Reply

Your email address will not be published.