XML External Entity Injection

A type of attack against an application which parses XML input. This attack occurs when a weakly parsed XML parser processes an XML input that contains a reference to an external entity.This attack has severe impacts like denial of service, server side request forgery, exposure of confidential data and other such impacts.

XML document structure is defined by XML 1.0 standard. An entity is defined in this standard as a storage unit of some type. There are different types of entities, one of them being external entity which is external general/parameter parsed entity, it can access local content via a declared system identifier which is a URI that can be accessed by the XML processor. The processor then manipulates the external entity which can then lead to the exposure of confidential data.

Attacks can affect in various ways, one of which includes disclosure of extremely sensitive information like passwords or other such data. Since the attack happens relative to the application processing the XML document, an attacker may use this as an entry to other internal systems which may lead to the disclosure of other internal content.

The attacker need not get direct response through this attack, instead he can leverage DNS information to ex-filtrate data through the sub domain names to a DNS server which he has control of.