External Entity Attack
Attack Pattern ID: 201 (Standard Attack Pattern Completeness: Stub)Typical Severity: MediumStatus: Draft
+ Description


An attacker creates an XML document that with an external entity reference. External entity references can take the form of <!ENTITY name system "uri"> tags in a DTD. Because processors may not validate documents with external entities, there may be no checks on the nature of the reference in the external entity. This can allow an attacker to open arbitrary files or connections. For example, the following DTD would attempt to open the /dev/tty device:

<!DOCTYPE doc [ <!ENTITY ent SYSTEM "file:///dev/tty"> ]>
+ Attack Prerequisites

The target must follow external entity references without validating the validity of the reference target.

+ Resources Required

The attacker must be able to trick the target into loading an XML document with crafted external entity reference.

+ Solutions and Mitigations

Configure the XML processor to only retrieve external entities from trusted sources.

+ Related Vulnerabilities
Vulnerability IDRelationship Description

The XML parsing code in Sun Java Runtime Environment JDK and JRE 6 Update 3 and earlier processes external entity references even when the "external general entities" property is false, which allows remote attackers to conduct XML external entity (XXE) attacks and cause a denial of service or access restricted resources.

+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfCategoryCategory278Web Services Protocol Manipulation 
Mechanism of Attack (primary)1000
+ References