XML Entity Expansion Vulnerability

Description

User controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like Denial of Service (DoS). This occurs when an application uses a vulnerable XML parser to process user-controlled input, allowing an attacker to inject malicious XML entities that can cause the parser to consume excessive resources.

Examples

Insecure Code

javascript

const express = require('express');
const app = express();
const Parser = require('expat').Parser;
app.get('/', (req, res) => {
  const parser = new Parser();
  parser.write(req.query.data);
  res.send('OK');
});

Secure Code

javascript

const express = require('express');
const app = express();
const Parser = require('expat').Parser;
const sanitize = require('sanitize-xml');
app.get('/', (req, res) => {
  const sanitizedData = sanitize(req.query.data);
  const parser = new Parser();
  parser.write(sanitizedData);
  res.send('OK');
});

Remediation

Validate and sanitize user-controlled input before passing it to the XML parser. Consider using a secure XML parser that is not vulnerable to entity expansion attacks.

Rule Details

Field	Value
ID	CODE-0423
Category	Injection
Severity	CRITICAL
CWE	CWE-776
Confidence	HIGH
Impact	HIGH
Likelihood	MEDIUM
Exploitability	MODERATE
Tags	XXE, XML Entity Expansion, Denial of Service
OWASP	A4:2017-XML External Entities (XXE), A05:2021-Security Misconfiguration

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

XML Entity Expansion Vulnerability

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

SAST Rules

IaC Rules

License Rules

XML Entity Expansion Vulnerability ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

XML Entity Expansion Vulnerability

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details