This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Periodic Table of Vulnerabilities - XML External Entities"
James Landis (talk | contribs) (Created page with "Return to Periodic Table Working View == XML External Entities == === Root Cause Summary === T...") |
(→References) |
||
Line 34: | Line 34: | ||
[[XML_External_Entity_(XXE)_Processing| XML External Entity Processing]]<BR> | [[XML_External_Entity_(XXE)_Processing| XML External Entity Processing]]<BR> | ||
+ | [[XML External Entity (XXE) Prevention Cheat Sheet]]><br/> | ||
[http://projects.webappsec.org/w/page/13247003/XML%20External%20Entities| XML External Entities (WASC)]<BR> | [http://projects.webappsec.org/w/page/13247003/XML%20External%20Entities| XML External Entities (WASC)]<BR> | ||
[http://cwe.mitre.org/data/definitions/611.html| CWE-611: Improper Restriction of XML External Entity Reference ('XXE')] | [http://cwe.mitre.org/data/definitions/611.html| CWE-611: Improper Restriction of XML External Entity Reference ('XXE')] |
Revision as of 21:26, 16 March 2016
Return to Periodic Table Working View
XML External Entities
Root Cause Summary
The XML parser is configured to process an unsafe DTD which includes external references to resources on the filesystem or other internal resources.
Browser / Standards Solution
None
Perimeter Solution
None
Generic Framework Solution
Disable external entity processing in the XML parser. Use strict, static, internally-defined DTDs and discard DTDs defined by XML documents. Force the application to load external content safely using framework file access code, instead of delegating the work to the XML parser.
Custom Framework Solution
None
Custom Code Solution
None
Discussion / Controversy
XXE is an unsafe development pattern and should be discarded in favor of safer methods of building documents from multiple sources.
References
XML External Entity Processing
XML External Entity (XXE) Prevention Cheat Sheet>
XML External Entities (WASC)
CWE-611: Improper Restriction of XML External Entity Reference ('XXE')