XML External Entity (XXE) Injection
Description
The code is vulnerable to XML External Entity (XXE) injection attacks because it uses unverified user data to parse XML. This can lead to unauthorized access to sensitive data, denial of service, or other malicious activities.
Examples
Insecure Code
javascript
const Parser = require('node-expat').Parser;
const parser = new Parser();
parser.parse(req.body);Secure Code
javascript
const Parser = require('node-expat').Parser;
const parser = new Parser();
const sanitizedInput = sanitizeInput(req.body);
parser.parse(sanitizedInput);Remediation
Validate and sanitize user input before passing it to the XML parser. Use a secure XML parsing library that is not vulnerable to XXE attacks.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0426 |
| Category | Injection |
| Severity | CRITICAL |
| CWE | CWE-611 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | XXE, XML Injection |
| OWASP | A4:2017-XML External Entities (XXE), A05:2021-Security Misconfiguration |