Security Hub

Bring your software development workflows to security

php

XXE

Signals & Triggers

On request
If malicious user input not escaped in the response

Actions

  • block incoming http request Block incoming http request
  • Send a slack notification Send a Slack notification
  • Send an email notification Send an email notification
  • POST to webhook
  • Log request stack trace

Details

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

The XML 1.0 standard defines the structure of an XML document. The standard defines a concept called an entity, which is a storage unit of some type. There are a few different types of entities, external general/parameter parsed entity often shortened to external entity, that can access local or remote content via a declared system identifier. The system identifier is assumed to be a URI that can be dereferenced (accessed) by the XML processor when processing the entity. The XML processor then replaces occurrences of the named external entity with the contents dereferenced by the system identifier. If the system identifier contains tainted data and the XML processor dereferences this tainted data, the XML processor may disclose confidential information normally not accessible by the application. Similar attack vectors apply the usage of external DTDs, external stylesheets, external schemas, etc. which, when included, allow similar external resource inclusion style attacks.

This plugin will prevent any entity to be loaded if they come from user’s input

Advanced details

When the application starts, Sqreen library hooks the entity loader function.

If the entity load something comming from the user input, then we will block the request.

Language support

  • PHP

Data collected by Sqreen

No data collected


On attack
  • Malicious user input
  • Stack trace
  • HTTP request context

Build amazing products. Keep them safe.

Dive into Sqreen with our 14-day trial, and experience seamlessly security. Sign up Request demo