Protecting Against XML External Entity Attacks

Unsecured XML parsers can permit an attacker to probe your file system for sensitive information. If your site accepts XML in any fashion, you need to ensure your parser is correctly configured.

Risks

Prevalence
Rare
Rating prevelance on Rating prevelance on Rating prevelance on
Exploitability
Difficult
Rating exploitability on Rating exploitability on Rating exploitability on
Impact
Devastating
Rating impact on Rating impact on Rating impact on

XML External Entity attacks allow a malicious user to read arbitrary files on your server. Getting access to the server’s file system is often the first step an attacker will take when compromising your system. Unless you deploy a intrusion detection system, you will often not know it is occurring until it’s too late.

Even big companies like Facebook have suffered from this vulnerability in the past.