XML External Entity (XXE) is a type of Server-side Request Forgery (SSRF) vulnerability that allows an attacker to cause Denial of Service (DoS) and access local files or remote hosts and services by abusing a widely available but rarely used feature in XML parsers. It’s also possible to use XXE vulnerabilities to conduct port scanning on the internal network of a web application, and in some cases, XXE can be used as a step in a multi-stage attack that may lead to remote code execution.
Most XXE attacks can be avoided with a correctly configured XML parser used by an application and are therefore not always difficult to fix, however finding them in large codebases could be challenging without the right tools, especially since a lot of XXE vulnerabilities can only be detected using out-of-band (OOB) testing. Acunetix is a web application vulnerability scanner and as part of the myriad of vulnerability test it performs, it looks for advanced variations of XXE vulnerabilities, including blind XXE through the use of the Acunetix AcuMonitor technology.
Beyond Low-Hanging Fruit
Runtime Source Code Analysis
In addition to being a fully automated black box (no knowledge of backend code) vulnerability scanner, Acunetix also provides AcuSensor as part of its standard offering. AcuSensor is a an optional sensor for Java, ASP.NET, and PHP applications that can easily be deployed on the application backend to analyze source code while it is in execution by the scanner.
This type of testing is known as gray box testing since it combines the best of both worlds from black box testing and white box testing. When testing for XXE vulnerabilities, Acunetix AcuSensor increases the accuracy of a scan since it has access to the code on the backend. With AcuSensor, the Acunetix vulnerability scanner may also test pages that would not otherwise be discovered via crawling thanks to the AcuSensor backend crawl technology.
Learn more about prominent vulnerabilities, keep up with recent product updates, and catch the latest news from Acunetix.
“We use Acunetix as part of our Security in the SDLC and to test code in DEV and SIT before being promoted to Production.”Kurt Zanzi, Xerox CA-MMIS Information Securtiy Office, Xerox