XML External Entity (XXE) is a type of Server-side Request Forgery (SSRF) vulnerability that allows an attacker to cause Denial of Service (DoS) and access local files or remote hosts and services by abusing a widely available but rarely used feature in XML parsers. It’s also possible to use XXE vulnerabilities to conduct port scanning on the internal network of a web application, and in some cases, XXE can be used as a step in a multi-stage attack that may lead to remote code execution.
Most XXE attacks can be avoided with a correctly configured XML parser used by an application and are therefore not always difficult to fix, however finding them in large codebases could be challenging without the right tools, especially since a lot of XXE vulnerabilities can only be detected using out-of-band (OOB) testing. Acunetix is a web application vulnerability scanner and as part of the myriad of vulnerability test it performs, it looks for advanced variations of XXE vulnerabilities, including blind XXE through the use of the Acunetix AcuMonitor technology.
Beyond Low-Hanging Fruit
Runtime Source Code Analysis
In addition to being a fully automated black box (no knowledge of backend code) vulnerability scanner, Acunetix also provides AcuSensor as part of its standard offering. AcuSensor is a an optional sensor for Java, ASP.NET, and PHP applications that can easily be deployed on the application backend to analyze source code while it is in execution by the scanner.
This type of testing is known as gray box testing since it combines the best of both worlds from black box testing and white box testing. When testing for XXE vulnerabilities, Acunetix AcuSensor increases the accuracy of a scan since it has access to the code on the backend. With AcuSensor, the Acunetix vulnerability scanner may also test pages that would not otherwise be discovered via crawling thanks to the AcuSensor backend crawl technology.
Frequently asked questions
XXE (XML external entity) is a class of vulnerabilities in web applications and attacks that exploit these vulnerabilities. XXE vulnerabilities allow the attacker to inject XML code into the application through regular user input. This XML code is then processed by the web application with potentially dangerous results.
XXE can lead to denial-of-service attacks, theft of information, and even to other attacks such as SSRF (server-side request forgery) or RCE (remote code execution). Therefore, it can be very dangerous.
The only way to check if you have XXE issues is to use a vulnerability scanner. Several scanners are able to detect this type of attack but Acunetix is one of the very few that can also prove it. This means that Acunetix will, for example, show you that it accessed a confidential file from your web application using XXE.
Acunetix will protect you not only from XXE but from all other types of web vulnerabilities. Acunetix also fully integrates with a network scanner so you can perform web and network scans using the same interface. Acunetix is not only the fastest scanner on the market but also the only one available on platforms other than Windows or the cloud.
Learn more about prominent vulnerabilities, keep up with recent product updates, and catch the latest news from Acunetix.
“We use Acunetix as part of our Security in the SDLC and to test code in DEV and SIT before being promoted to Production.”Kurt Zanzi, Xerox CA-MMIS Information Securtiy Office, Xerox