![]() ![]() Vulnerable to client-side memory corruption issues may be exploited byĭereferencing a malicious URI, possibly allowing arbitrary codeĮxecution under the application account. In some situations, an XML processor library that is Launching a CSRF attack to any unprotected internal Possibly disclosing other internal content via http(s) requests or Use this trusted application to pivot to other internal systems, Relative to the application processing the XML document, an attacker may which, when included, allow similarĮxternal resource inclusion style attacks.Īttacks can include disclosing local files, which may contain sensitiveĭata such as passwords or private user data, using file: schemes or Similar attack vectors apply the usage of external DTDs, external If the system identifier contains tainted data and the XML processorĭereferences this tainted data, the XML processor may discloseĬonfidential information normally not accessible by the application. The XML processor then replaces occurrences of the namedĮxternal entity with the contents dereferenced by the system identifier. That can be dereferenced (accessed) by the XML processor when processing The system identifier is assumed to be a URI To external entity, that can access local or remote content via aĭeclared system identifier. Types of entities, external general/parameter parsed ![]() The standard defines a concept called anĮntity, which is a storage unit of some type. Scanning from the perspective of the machine where the parser is This attack may lead to the disclosure ofĬonfidential data, denial of service, server side request forgery, port This attack occurs when XML inputĬontaining a reference to an external entity is processed by a weaklyĬonfigured XML parser. DescriptionĪn XML External Entity attack is a type of attack against anĪpplication that parses XML input. CWE-611: Improper Restriction of XML External Entity Reference: The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |