A4 – Using XML external entities securely
XML external entity (XXE) attacks have gained popularity in the last few years, so that they now appear in the fourth position of the OWASP Top 10 2017. XML entity-related vulnerabilities are used by attackers mainly to retrieve information from the target system and remotely execute code or system commands (XXE Injection), or to cause the interruption of services (XXE Expansion).
In this recipe, we will provide some suggestions on what to do when building a web application to prevent including vulnerabilities in the processing of XML external entities.
How to do it...
- If possible, avoid the use of XML and prefer less complex formats, such as JSON.
- If XML use is mandatory, disable the use of external entities in all parsers used by the application.
- If a certain functionality requires the use of external entities to load files or access remote resources, consider reimplementing the functionality using other technologies.
- Always validate data provided by...
