XML External Entity (XXE) is a type of Server-side Request Forgery (SSRF) vulnerability which allows an attacker to cause Denial of Service (DoS) and access local files or remote hosts and services, by abusing a widely available, rarely used feature in XML parsers. It’s also possible to use XXE vulnerabilities to conduct port scanning on the internal network of a web application, and In some cases, XXE can be used as a step in a multi-stage attack that may lead to remote code execution.
Most XXE attacks can be avoided with a correctly configured XML parser used by an application and are therefore not always difficult to fix, however finding them in large codebases could be challenging without the right tools, especially since a lot of XXE vulnerabilities can only be detected using out-of-band (OOB) testing. Acunetix is a web application vulnerability scanner and as part of the myriad of vulnerability test it performs, it looks for advanced variations of XXE vulnerabilities, including blind XXE through the use of Acunetix’s AcuMonitor technology.
Beyond low hanging fruit
Runtime source code analysis
In addition to being a fully automated black box (no knowledge of backend code) vulnerability scanner, Acunetix also provides AcuSensor as part of its standard offering. AcuSensor is a an optional sensor for Java, ASP.NET and PHP applications that can easily be deployed on the application’s backend to analyze source code while it is in execution by the scanner.
This type of testing is known as gray box testing since it combines the best of both worlds from black box testing and whitebox testing. When testing for XXE vulnerabilities, Acunetix AcuSensor increases the accuracy of a scan since it has access to the code on the backend. With AcuSensor, Acunetix’s vulnerability scanner may also test pages that would not otherwise be discovered via crawling thanks to AcuSensor’s backend crawl technology.
We utilize Acunetix to more thoroughly assess internet-facing websites and servers. Acunetix helps us identify vulnerabilities in conjunction with other vulnerability scanning applications. Acunetix has been a more reliable application when discovering / determining different types of malicious code injection vulnerabilities (SQL, HTML, CGI, etc).